diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json new file mode 100644 index 0000000000..b0c989db52 --- /dev/null +++ b/eslzArm/eslz-portal.json @@ -0,0 +1,2271 @@ +{ + "$schema": "", + "view": { + "kind": "Form", + "properties": { + "title": "Enterprise-Scale Landing Zones", + "steps": [ + { + "name": "basics", + "label": "Deployment location", + "elements": [ + { + "name": "resourceScope", + "type": "Microsoft.Common.ResourceScope" + } + ] + }, + { + "name": "lzSettings", + "label": "Enterprise-Scale core setup", + "subLabel": { + "preValidation": "Provide a company prefix for the management group structure that will be created.", + "postValidation": "Done" + }, + "bladeTitle": "Company prefix", + "elements": [ + { + "name": "info", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "text": "Enterprise-Scale ARM deployment requires access at the tenant root (/) scope. Visit this link to ensure you have the appropriate RBAC permission to complete the deployment", + "uri": "https://docs.microsoft.com/azure/role-based-access-control/elevate-access-global-admin", + "style": "Info" + } + }, + { + "name": "mgmtGroup", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Enterprise-Scale will create the management group hierarchy under the Tenant Root Group with the prefix provided at this step.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-group-and-subscription-organization" + } + } + }, + { + "name": "esMgmtGroup", + "type": "Microsoft.Common.TextBox", + "label": "Management Group prefix", + "toolTip": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale.", + "defaultValue": "", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z-]{1,10}$", + "validationMessage": "The prefix must be 1-10 characters." + } + }, + { + "name": "subOrgsOption", + "type": "Microsoft.Common.OptionsGroup", + "label": "Select dedicated subscriptions or single subscription for platform resources", + "defaultValue": "Dedicated (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continious compliance.", + "constraints": { + "allowedValues": [ + { + "label": "Dedicated (recommended)", + "value": "Dedicated" + }, + { + "label": "Single", + "value": "Single" + } + ] + }, + "visible": true + }, + { + "name": "esSingleSubSection", + "type": "Microsoft.Common.Section", + "label": "Single platform subscription", + "elements": [ + { + "name": "subWarning", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "icon": "Warning", + "text": "Dedicated subscriptions are recommended for the various platform components to ensure scale, sustainability, and segregation of duties. However, a single subscription can also be used in case this is not a concern (e.g., small enterprises).", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-group-and-subscription-organization" + } + }, + { + "name": "singleSubText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Select the dedicated, single subscription that will be used for all platform resources during deployment, for security, logging, connectivity, and identity." + } + }, + { + "type":"Microsoft.Common.SubscriptionSelector", + "name": "esSingleSub", + "label": "Single platform subscription" + } + ], + "visible": "[equals(steps('lzSettings').subOrgsOption, 'Single')]" + } + ] + }, + { + "name": "esGoalState", + "label": "Platform management, security, and governance", + "subLabel": { + "preValidation": "", + "postValidation": "" + }, + "bladeTitle": "lzGs", + "elements": [ + { + "name": "multiPlatformMgmtSub", + "type": "Microsoft.Common.InfoBox", + "visible": "[not(equals(steps('lzSettings').subOrgsOption, 'Single'))]", + "options": { + "text": "To enable platform management, security and governance, you must allocate a management Subscription. Please note, this Subscription will be moved to the platform Management Group, and ARM will deploy a Log Analytics workspace and requisite settings. We recommend using a new Subscription with no existing resources. Note that Azure Policy will be used to govern the configuration for the platform at scale.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-and-monitoring", + "style": "Info" + } + }, + { + "name": "singlePlatformMgmtSub", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('lzSettings').subOrgsOption, 'Single')]", + "options": { + "text": "To enable platform management, security and governance, you can configure core infra such as Log Analytics, Azure Security Center and additional monitoring solutions to your dedicated platform subscription. Note that Azure Policy will be used to govern the configuration for the platform at scale.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-and-monitoring", + "style": "Info" + } + }, + { + "name": "esLogAnalytics", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Log Analytics workspace and enable monitoring for your platform and resources", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continious compliance.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esLogRetention", + "type": "Microsoft.Common.Slider", + "min": 30, + "max": 730, + "label": "Log Analytics Data Retention (days)", + "subLabel": "Days", + "defaultValue": 30, + "showStepMarkers": false, + "toolTip": "Select retention days for Azure logs. Default is 30 days.", + "constraints": { + "required": false + }, + "visible": "[equals(steps('esGoalState').esLogAnalytics,'Yes')]" + }, + { + "name": "esMgmtSubSection", + "type": "Microsoft.Common.Section", + "label": "Management subscription", + "elements": [ + { + "type":"Microsoft.Common.SubscriptionSelector", + "name": "esMgmtSub", + "label": "Management subscription" + } + ], + "visible": "[and(equals(steps('esGoalState').esLogAnalytics, 'Yes'), not(equals(steps('lzSettings').subOrgsOption, 'Single')))]" + }, + { + "name": "monitoring", + "type": "Microsoft.Common.TextBlock", + "visible": "[equals(steps('esGoalState').esLogAnalytics,'Yes')]", + "options": { + "text": "Select which Azure Monitor solutions you will enable for your Log Analytics workspace", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/azure-monitor/insights/solutions" + } + } + }, + { + "name": "esAgentSolution", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Agent Health solution", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continous compliance", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').esLogAnalytics,'Yes')]" + }, + { + "name": "esChangeTracking", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Change Tracking solution", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continous compliance", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').esLogAnalytics,'Yes')]" + }, + { + "name": "esUpdateMgmt", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Update Management solution", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continous compliance", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').esLogAnalytics,'Yes')]" + }, + { + "name": "esActivityLog", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Activity Log solution", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continous compliance", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').esLogAnalytics,'Yes')]" + }, + { + "name": "esVmInsights", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy VM Insights solution", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continous compliance", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').esLogAnalytics,'Yes')]" + }, + { + "name": "esServiceMap", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Service Map solution", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continous compliance", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').esLogAnalytics,'Yes')]" + }, + { + "name": "esSqlAssessment", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy SQL Assessment solution", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continous compliance", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').esLogAnalytics,'Yes')]" + }, + { + "name": "textBlock0", + "type": "Microsoft.Common.TextBlock", + "visible": "[equals(steps('esGoalState').esLogAnalytics,'Yes')]", + "options": { + "text": "Select which Azure Security solutions you will enable.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/security/fundamentals/overview" + } + } + }, + { + "name": "esAsc", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Azure Security Center and enable security monitoring for your platform and resources", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continous compliance", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').esLogAnalytics,'Yes')]" + }, + { + "name": "esAscEmail", + "type": "Microsoft.Common.TextBox", + "label": "Azure Security Center Email Contact", + "toolTip": "Email address to get email notifications from Azure Security Center", + "visible": "[equals(steps('esGoalState').esAsc,'Yes')]", + "defaultValue": "", + "constraints": { + "required": "[equals(steps('esGoalState').esAsc,'Yes')]", + "regex": "^[\\w-\\.]+@([\\w-]+\\.)+[\\w-]{2,4}$", + "validationMessage": "Please provide a valid email address" + } + }, + { + "name": "esAscVms", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Defender for servers", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for all servers.", + "visible": "[equals(steps('esGoalState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Standard" + }, + { + "label": "No, Azure Defender Off", + "value": "Free" + } + ] + } + }, + { + "name": "esAscApps", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Defender for AppServices", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for AppServices.", + "visible": "[equals(steps('esGoalState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Standard" + }, + { + "label": "No, Azure Defender Off", + "value": "Free" + } + ] + } + }, + { + "name": "esAscStorage", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Defender for Storage", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for Storage.", + "visible": "[equals(steps('esGoalState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Standard" + }, + { + "label": "No, Azure Defender Off", + "value": "Free" + } + ] + } + }, + { + "name": "esAscSql", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Defender for Azure SQL Database", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for Azure SQL Database.", + "visible": "[equals(steps('esGoalState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Standard" + }, + { + "label": "No, Azure Defender Off", + "value": "Free" + } + ] + } + }, + { + "name": "esAscSqlOnVm", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Defender for SQL servers on machines", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for SQL servers on machines.", + "visible": "[equals(steps('esGoalState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Standard" + }, + { + "label": "No, Azure Defender Off", + "value": "Free" + } + ] + } + }, + { + "name": "esAscKeyVault", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Defender for Key Vault", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for Key Vault.", + "visible": "[equals(steps('esGoalState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Standard" + }, + { + "label": "No, Azure Defender Off", + "value": "Free" + } + ] + } + }, + { + "name": "esAscArm", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Defender for Azure Resource Manager", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for Resource Manager.", + "visible": "[equals(steps('esGoalState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Standard" + }, + { + "label": "No, Azure Defender Off", + "value": "Free" + } + ] + } + }, + { + "name": "esAscDns", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Defender for DNS", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for DNS.", + "visible": "[equals(steps('esGoalState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Standard" + }, + { + "label": "No, Azure Defender Off", + "value": "Free" + } + ] + } + }, + { + "name": "esAscKubernetes", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Defender for Kubernetes", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for Kubernetes.", + "visible": "[equals(steps('esGoalState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Standard" + }, + { + "label": "No, Azure Defender Off", + "value": "Free" + } + ] + } + }, + { + "name": "esAscRegistries", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Defender for Container registries", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for Container registries.", + "visible": "[equals(steps('esGoalState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Standard" + }, + { + "label": "No, Azure Defender Off", + "value": "Free" + } + ] + } + }, + { + "name": "esSecuritySolution", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Azure Sentinel", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continous compliance", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').esLogAnalytics,'Yes')]" + } + ] + }, + { + "name": "lzDevOps", + "label": "Platform DevOps and automation", + "subLabel": {}, + "bladeTitle": "lz Dev Ops", + "elements": [ + { + "name": "info", + "type": "Microsoft.Common.InfoBox", + "visible": "[or(not(empty(steps('esGoalState').esMgmtSubSection.esMgmtSub)), not(empty(steps('lzSettings').esSingleSubSection.esSingleSub)))]", + "options": { + "text": "Enterprise-Scale provides an integrated CICD pipeline via AzOps that can be used with either GitHub Actions or Azure DevOps pipelines.", + "uri": "https://github.com/azure/azops-accelerator/wiki/introduction", + "style": "Info" + } + }, + { + "name": "correction", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(equals(steps('esGoalState').esLogAnalytics, 'No'), not(equals(steps('lzSettings').subOrgsOption, 'Single')))]", + "options": { + "text": "Enterprise-Scale provides an integrated CICD pipeline via AzOps that can be used with either GitHub Actions or Azure DevOps pipelines, but requires a dedicated subscription for platform management in the previous step. Please add a subscription or continue without setting up the CICD integration.", + "uri": "https://github.com/azure/azops-accelerator/wiki/introduction", + "style": "Warning" + } + }, + { + "name": "cicdOption", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy integrated CICD pipeline?", + "defaultValue": "Yes (recommended)", + "toolTip": "", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": "[or(not(empty(steps('esGoalState').esMgmtSubSection.esMgmtSub)), not(empty(steps('lzSettings').esSingleSubSection.esSingleSub)))]" + }, + { + "name": "Instructions", + "type": "Microsoft.Common.TextBlock", + "visible": "[equals(steps('lzDevOps').cicdOption,'Yes')]", + "options": { + "text": "Provide the credentials to initialize the repository with the ARM templates for Enterprise-Scale.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-group-and-subscription-organization" + } + } + }, + { + "name": "optionsGroup1", + "type": "Microsoft.Common.OptionsGroup", + "label": "Select CICD option", + "defaultValue": "GitHub Actions", + "toolTip": "Enterprise-Scale will provide options for both GitHub Actions and Azure DevOps pipelines. For now, only GitHub Actions is available", + "constraints": { + "allowedValues": [ + { + "label": "GitHub Actions", + "value": "actions" + } + ], + "required": true + }, + "visible": "[equals(steps('lzDevOps').cicdOption,'Yes')]" + }, + { + "name": "esGit", + "type": "Microsoft.Common.TextBox", + "label": "GitHub organization or username", + "toolTip": "Provide Git org/username.", + "visible": "[equals(steps('lzDevOps').cicdOption,'Yes')]", + "defaultValue": "", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z-]{1,39}$", + "validationMessage": "The GitHub org/username must be 1-39 characters." + } + }, + { + "name": "esGitRepoName", + "type": "Microsoft.Common.TextBox", + "label": "New GitHub repository name", + "toolTip": "Provide a name for the new repository that will be created", + "defaultValue": "", + "visible": "[equals(steps('lzDevOps').cicdOption,'Yes')]", + "placeholder": "", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z-]{1,100}$", + "validationMessage": "The repository name must be 1-100 characters." + } + }, + { + "name": "esPaToken", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "GitHub personal access token", + "confirmPassword": "Confirm PA Token" + }, + "toolTip": "Provide the personal access token to access your GitHub account or organization. For more information see this link: https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token", + "constraints": { + "required": true, + "validationMessage": "Password must be at least 8 characters long, contain only numbers and letters" + }, + "options": { + "hideConfirmation": true + }, + "visible": "[equals(steps('lzDevOps').cicdOption,'Yes')]" + }, + { + "name": "spnSection", + "type": "Microsoft.Common.Section", + "label": "", + "elements": [ + { + "name": "esServicePrincipal", + "type": "Microsoft.Common.ServicePrincipalSelector", + "visible": "[equals(steps('lzDevOps').cicdOption,'Yes')]", + "label": { + "password": "Password", + "certificateThumbprint": "Certificate thumbprint", + "authenticationType": "Authentication Type", + "sectionHeader": "Service Principal" + }, + "toolTip": { + "password": "Provide the application secret as it will be used to authenticate with Azure AD", + "certificateThumbprint": "Certificate thumbprint", + "authenticationType": "Authentication Type" + }, + "defaultValue": { + "principalId": "", + "name": "" + }, + "constraints": { + "required": true + }, + "options": { + "hideCertificate": true + } + } + ], + "visible": "[equals(steps('lzDevOps').cicdOption,'Yes')]" + } + ] + }, + { + "name": "esConnectivityGoalState", + "label": "Network topology and connectivity", + "subLabel": { + "preValidation": "", + "postValidation": "" + }, + "bladeTitle": "lzGs", + "elements": [ + { + "name": "multiPlatformConnectivitySub", + "type": "Microsoft.Common.InfoBox", + "visible": "[not(equals(steps('lzSettings').subOrgsOption, 'Single'))]", + "options": { + "text": "To enable network topology and connectivity, you must allocate a dedicated connectivity Subscription. Please note, this Subscription will be moved to the connectivity Management Group, and ARM will deploy the first hub virtual network for either a hub and spoke or Virtual WAN network topology. Additional networking platform resources such as gateways or Azure Firewall can be deployed. We recommend using a new dedicated Subscription with no existing resources.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/define-an-azure-network-topology", + "style": "Info" + } + }, + { + "name": "singlePlatformConnectivitySub", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('lzSettings').subOrgsOption, 'Single')]", + "options": { + "text": "To enable network topology and connectivity, you can select the preferred networking topology, and deploy this into the dedicated platform subscription. Additional networking platform resources such as gateways or Azure Firewall can also be deployed.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/define-an-azure-network-topology", + "style": "Info" + } + }, + { + "name": "esHub", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy networking topology", + "defaultValue": "No", + "toolTip": "Select the preferred network topology. If third-party NVA is a requirement, you must deploy this into the connectivity subscription post the deployment.", + "constraints": { + "allowedValues": [ + { + "label": "Hub and spoke with Azure Firewall", + "value": "vhub" + }, + { + "label": "Hub and spoke with your own third-party NVA", + "value": "nva" + }, + { + "label": "Virtual WAN (Microsoft managed)", + "value": "vwan" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esNwSubSection", + "type": "Microsoft.Common.Section", + "label": "Connectivity subscription", + "elements": [ + { + "type":"Microsoft.Common.SubscriptionSelector", + "name": "esNwSub", + "label": "Connectivity subscription" + } + ], + "visible": "[and(not(equals(steps('esConnectivityGoalState').esHub, 'No')), not(equals(steps('lzSettings').subOrgsOption, 'Single')))]" + }, + { + "name": "esAddressHub", + "type": "Microsoft.Common.TextBox", + "label": "Address space (required for hub virtual hub)", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.100.0.0/16)", + "defaultValue": "10.100.0.0/16", + "visible": "[not(equals(steps('esConnectivityGoalState').esHub, 'No'))]", + "constraints": { + "required": true, + "validationMessage": "The virtual hubs network's address space, specified as one address prefixes in CIDR notation (e.g. 192.168.1.0/24)" + } + }, + { + "name": "esLocationsApi", + "type": "Microsoft.Solutions.ArmApiControl", + "request": { + "method": "GET", + "path": "locations?api-version=2019-11-01" + } + }, + { + "name": "esNwLocation", + "type": "Microsoft.Common.DropDown", + "label": "Region for the first virtual network hub", + "filter": true, + "toolTip": "Select the target region for you connectivity deployment (requires you to provide a subscriptionId for connectivity)", + "constraints": { + "allowedValues": "[map(steps('esConnectivityGoalState').esLocationsApi.value,(item) => parse(concat('{\"label\":\"',item.displayName,'\",\"value\":\"',item.name,'\"}')))]", + "required": true + }, + "visible": "[not(equals(steps('esConnectivityGoalState').esHub, 'No'))]" + }, + { + "name": "esDdoS", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable DDoS Protection Standard", + "defaultValue": "Yes (recommended)", + "visible": "[not(equals(steps('esConnectivityGoalState').esHub, 'No'))]", + "toolTip": "If 'Yes' is selected when also adding a connectivity subscription, DDoS Protection Standard will be enabled.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esPrivateDns", + "type": "Microsoft.Common.OptionsGroup", + "label": "Create Private DNS Zones for Azure PaaS services", + "defaultValue": "Yes (recommended)", + "visible": "[or(equals(steps('esConnectivityGoalState').esHub, 'vhub'), equals(steps('esConnectivityGoalState').esHub, 'nva'))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will create Private DNS Zones for Azure PaaS services", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esVpnGw", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy VPN Gateway", + "defaultValue": "No", + "visible": "[not(equals(steps('esConnectivityGoalState').esHub, 'No'))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy VPN gateway", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esGwRegionalOrAz", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy zone redundant or regional VPN Gateway", + "defaultValue": "Zone redundant (recommended)", + "visible": "[and(and(equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))), equals(steps('esConnectivityGoalState').esVpnGw,'Yes'),or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast')))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Virtual Gateway to the selected region and availability zones.", + "constraints": { + "allowedValues": [ + { + "label": "Zone redundant (recommended)", + "value": "Zone" + }, + { + "label": "Regional", + "value": "Regional" + } + ] + } + }, + { + "name": "esGwNoAzSku", + "type": "Microsoft.Common.DropDown", + "label": "Select the VPN Gateway SKU", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(and(equals(steps('esConnectivityGoalState').esVpnGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))), equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), not(or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast'))))]", + "toolTip": "Select the required SKU for the VPN gateway.", + "constraints": { + "allowedValues": [ + { + "label": "VpnGw2", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 500 IKEv2/OpenVPN connections, aggregate throughput is 1.25 Gbps", + "value": "VpnGw2" + }, + { + "label": "VpnGw3", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 1000 IKEv2/OpenVPN connections, aggregate throughput is 2.5 Gbps", + "value": "VpnGw3" + }, + { + "label": "VpnGw4", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 5000 IKEv2/OpenVPN connections, aggregate throughput is 5 Gbps", + "value": "VpnGw4" + }, + { + "label": "VpnGw5", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 10000 IKEv2/OpenVPN connections, aggregate throughput is 10 Gbps", + "value": "VpnGw5" + } + ] + } + }, + { + "name": "esGwAzSku", + "type": "Microsoft.Common.DropDown", + "label": "Select the VPN Gateway SKU", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(and(equals(steps('esConnectivityGoalState').esVpnGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))), equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), equals(steps('esConnectivityGoalState').esGwRegionalOrAz, 'Zone') ,or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast')))]", + "toolTip": "Select the required SKU for the VPN gateway.", + "constraints": { + "allowedValues": [ + { + "label": "VpnGw2AZ", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 500 IKEv2/OpenVPN connections, aggregate throughput is 1.25 Gbps", + "value": "VpnGw2AZ" + }, + { + "label": "VpnGw3AZ", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 1000 IKEv2/OpenVPN connections, aggregate throughput is 2.5 Gbps", + "value": "VpnGw3AZ" + }, + { + "label": "VpnGw4AZ", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 5000 IKEv2/OpenVPN connections, aggregate throughput is 5 Gbps", + "value": "VpnGw4AZ" + }, + { + "label": "VpnGw5AZ", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 10000 IKEv2/OpenVPN connections, aggregate throughput is 10 Gbps", + "value": "VpnGw5AZ" + } + ] + } + }, + { + "name": "esGwRegionalSku", + "type": "Microsoft.Common.DropDown", + "label": "Select the VPN Gateway SKU", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(and(equals(steps('esConnectivityGoalState').esVpnGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))), equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), equals(steps('esConnectivityGoalState').esGwRegionalOrAz, 'Regional') ,or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast')))]", + "toolTip": "Select the required SKU for the VPN gateway.", + "constraints": { + "allowedValues": [ + { + "label": "VpnGw2", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 500 IKEv2/OpenVPN connections, aggregate throughput is 1.25 Gbps", + "value": "VpnGw2" + }, + { + "label": "VpnGw3", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 1000 IKEv2/OpenVPN connections, aggregate throughput is 2.5 Gbps", + "value": "VpnGw3" + }, + { + "label": "VpnGw4", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 5000 IKEv2/OpenVPN connections, aggregate throughput is 5 Gbps", + "value": "VpnGw4" + }, + { + "label": "VpnGw5", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 10000 IKEv2/OpenVPN connections, aggregate throughput is 10 Gbps", + "value": "VpnGw5" + } + ] + } + }, + { + "name": "esVwanGwScaleUnits", + "type": "Microsoft.Common.DropDown", + "label": "Select the VPN Gateway scale unit", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(equals(steps('esConnectivityGoalState').esVpnGw, 'Yes'), equals(steps('esConnectivityGoalState').esHub, 'vwan'))]", + "toolTip": "Select the VPN Gateway scale unit", + "constraints": { + "allowedValues": [ + { + "label": "1 scale unit", + "description": "Supports 500 Mbps x2", + "value": "1" + }, + { + "label": "2 scale units", + "description": "Supports 1 Gbps x 2", + "value": "2" + }, + { + "label": "3 scale units", + "description": "Supports 1.5 Gbps x 2", + "value": "3" + }, + { + "label": "4 scale units", + "description": "Supports 2 Gbps x 2", + "value": "4" + }, + { + "label": "5 scale units", + "description": "Supports 2.5 Gbps x 2", + "value": "5" + }, + { + "label": "6 scale units", + "description": "Supports 3 Gbps x 2", + "value": "6" + }, + { + "label": "7 scale units", + "description": "Supports 3.5 Gbps x 2", + "value": "7" + }, + { + "label": "8 scale units", + "description": "Supports 4 Gbps x 2", + "value": "8" + }, + { + "label": "9 scale units", + "description": "Supports 4.5 Gbps x 2", + "value": "9" + }, + { + "label": "10 scale units", + "description": "Supports 5 Gbps x 2", + "value": "10" + }, + { + "label": "11 scale units", + "description": "Supports 5.5 Gbps x 2", + "value": "11" + }, + { + "label": "12 scale units", + "description": "Supports 6 Gbps x 2", + "value": "12" + }, + { + "label": "13 scale units", + "description": "Supports 6.5 Gbps x 2", + "value": "13" + }, + { + "label": "14 scale units", + "description": "Supports 7 Gbps x 2", + "value": "14" + }, + { + "label": "15 scale units", + "description": "Supports 7.5 Gbps x 2", + "value": "15" + }, + { + "label": "16 scale units", + "description": "Supports 8 Gbps x 2", + "value": "16" + }, + { + "label": "17 scale units", + "description": "Supports 8.5 Gbps x 2", + "value": "17" + }, + { + "label": "18 scale units", + "description": "Supports 9 Gbps x 2", + "value": "18" + }, + { + "label": "19 scale units", + "description": "Supports 9.5 Gbps x 2", + "value": "19" + }, + { + "label": "20 scale units", + "description": "Supports 10 Gbps x 2", + "value": "20" + } + ] + } + }, + { + "name": "esAddressVpnOrEr", + "type": "Microsoft.Common.TextBox", + "label": "Subnet for VPN/ExpressRoute Gateways", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.100.1.0/24)", + "defaultValue": "10.100.1.0/24", + "visible": "[or(equals(steps('esConnectivityGoalState').esErGw,'Yes'),equals(steps('esConnectivityGoalState').esVpnGw,'Yes'))]", + "constraints": { + "required": true, + "validationMessage": "The subnet network's address space, specified as one address prefixes in CIDR notation (e.g. 192.168.1.0/24)" + } + }, + { + "name": "esErGw", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy ExpressRoute Gateway", + "defaultValue": "No", + "visible": "[not(equals(steps('esConnectivityGoalState').esHub, 'No'))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Express Route gateway", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esErRegionalOrAz", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy zone redundant or regional ExpressRoute Gateway", + "defaultValue": "Zone redundant (recommended)", + "visible": "[and(and(equals(steps('esConnectivityGoalState').esErGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))),equals(steps('esConnectivityGoalState').esErGw,'Yes'),or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast')))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Express Route Gateway to the selected region and availability zones.", + "constraints": { + "allowedValues": [ + { + "label": "Zone redundant (recommended)", + "value": "Zone" + }, + { + "label": "Regional", + "value": "Regional" + } + ] + } + }, + { + "name": "esErAzSku", + "type": "Microsoft.Common.DropDown", + "label": "Select the ExpressRoute Gateway SKU", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(and(equals(steps('esConnectivityGoalState').esErGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))),equals(steps('esConnectivityGoalState').esErGw,'Yes'), equals(steps('esConnectivityGoalState').esErRegionalOrAz, 'Zone'), or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast')))]", + "toolTip": "Select the required SKU for the Express Route gateway.", + "constraints": { + "allowedValues": [ + { + "label": "ErGw1AZ", + "description": "Megabits per second 1000, packets per second 100,000, connections per second 7000, max number of cicuit connections is 4", + "value": "ErGw1AZ" + }, + { + "label": "ErGw2AZ", + "description": "Megabits per second 2000, packets per second 250,000, connections per second 14000, max number of cicuit connections is 8", + "value": "ErGw2AZ" + }, + { + "label": "ErGw3AZ", + "description": "Megabits per second 10,000, packets per second 1,000,000, connections per second 28,000, max number of cicuit connections is 16", + "value": "ErGw3AZ" + } + ] + } + }, + { + "name": "esErRegionalSku", + "type": "Microsoft.Common.DropDown", + "label": "Select the ExpressRoute Gateway SKU", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(and(equals(steps('esConnectivityGoalState').esErGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))), equals(steps('esConnectivityGoalState').esErGw,'Yes'), equals(steps('esConnectivityGoalState').esErRegionalOrAz, 'Regional'), or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast')))]", + "toolTip": "Select the required SKU for the Express Route gateway.", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "description": "Megabits per second 1000, packets per second 100,000, connections per second 7000, max number of cicuit connections is 4", + "value": "Standard" + }, + { + "label": "HighPerformance", + "description": "Megabits per second 2000, packets per second 250,000, connections per second 14000, max number of cicuit connections is 8", + "value": "HighPerformance" + }, + { + "label": "UltraPerformance", + "description": "Megabits per second 10,000, packets per second 1,000,000, connections per second 28,000, max number of cicuit connections is 16", + "value": "UltraPerformance" + } + ] + } + }, + { + "name": "esErNoAzSku", + "type": "Microsoft.Common.DropDown", + "label": "Select the ExpressRoute Gateway SKU", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(and(equals(steps('esConnectivityGoalState').esErGw, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub, 'vwan'))),equals(steps('esConnectivityGoalState').esErGw,'Yes'), not(or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast'))))]", + "toolTip": "Select the required SKU for the Express Route gateway.", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "description": "Megabits per second 1000, packets per second 100,000, connections per second 7000, max number of cicuit connections is 4", + "value": "Standard" + }, + { + "label": "HighPerformance", + "description": "Megabits per second 2000, packets per second 250,000, connections per second 14000, max number of cicuit connections is 8", + "value": "HighPerformance" + }, + { + "label": "UltraPerformance", + "description": "Megabits per second 10,000, packets per second 1,000,000, connections per second 28,000, max number of cicuit connections is 16", + "value": "UltraPerformance" + } + ] + } + }, + { + "name": "esVwanErScaleUnits", + "type": "Microsoft.Common.DropDown", + "label": "Select the ExpressRoute Gateway scale unit", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(equals(steps('esConnectivityGoalState').esErGw, 'Yes'), equals(steps('esConnectivityGoalState').esHub, 'vwan'))]", + "toolTip": "Select the ExpressRoute Gateway scale unit", + "constraints": { + "allowedValues": [ + { + "label": "1 scale unit", + "description": "Supports 2 Gbps", + "value": "1" + }, + { + "label": "2 scale units", + "description": "Supports 4 Gbps", + "value": "2" + }, + { + "label": "3 scale units", + "description": "Supports 6 Gbps", + "value": "3" + }, + { + "label": "4 scale units", + "description": "Supports 8 Gbps", + "value": "4" + }, + { + "label": "5 scale units", + "description": "Supports 10 Gbps", + "value": "5" + }, + { + "label": "6 scale units", + "description": "Supports 12 Gbps", + "value": "6" + }, + { + "label": "7 scale units", + "description": "Supports 14 Gbps", + "value": "7" + }, + { + "label": "8 scale units", + "description": "Supports 16 Gbps", + "value": "8" + }, + { + "label": "9 scale units", + "description": "Supports 18 Gbps", + "value": "9" + }, + { + "label": "10 scale units", + "description": "Supports 20 Gbps", + "value": "10" + } + ] + } + }, + { + "name": "esAzFw", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Azure Firewall", + "defaultValue": "Yes (recommended)", + "visible": "[or(equals(steps('esConnectivityGoalState').esHub, 'vhub'), equals(steps('esConnectivityGoalState').esHub, 'vwan'))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Azure Firewall", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esAzFwDns", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Firewall as a DNS proxy", + "defaultValue": "No", + "visible": "[equals(steps('esConnectivityGoalState').esAzFw,'Yes')]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will enable Azure Firewall as a DNS Proxy.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esFwAz", + "type": "Microsoft.Common.DropDown", + "label": "Select Availability Zones for the Azure Firewall", + "defaultValue": "None", + "multiselect": true, + "selectAll": true, + "filter": true, + "visible": "[if(equals(steps('esConnectivityGoalState').esHub, 'vhub'), and(equals(steps('esConnectivityGoalState').esAzFw,'Yes'),or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast'))), false)]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Azure Firewall to the selected region and availability zones.", + "constraints": { + "allowedValues": [ + { + "label": "Zone 1", + "value": "1" + }, + { + "label": "Zone 2", + "value": "2" + }, + { + "label": "Zone 3", + "value": "3" + } + ] + } + }, + { + "name": "esAddressFw", + "type": "Microsoft.Common.TextBox", + "label": "Subnet for Azure Firewall", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.100.0.0/24)", + "defaultValue": "10.100.0.0/24", + "visible": "[equals(steps('esConnectivityGoalState').esAzFw,'Yes')]", + "constraints": { + "required": true, + "validationMessage": "The subnet network's address space, specified as one address prefixes in CIDR notation (e.g. 192.168.1.0/24)" + } + } + ] + }, + { + "name": "esIdentityGoalState", + "label": "Identity", + "subLabel": { + "preValidation": "", + "postValidation": "" + }, + "bladeTitle": "lzGs", + "elements": [ + { + "name": "multiPlatformIdentitySub", + "type": "Microsoft.Common.InfoBox", + "visible": "[not(equals(steps('lzSettings').subOrgsOption, 'Single'))]", + "options": { + "text": "To enable identity (AuthN/AuthZ) for workloads in landing zones, you must allocate an identity Subscription that is dedicated to host your Active Directory domain controllers. Please note, this Subscription will be moved to the identity Management Group, and ARM will assign the selected policies. We recommend using a new Subscription with no existing resources.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/identity-and-access-management", + "style": "Info" + } + }, + { + "name": "singlePlatformIdentitySub", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('lzSettings').subOrgsOption, 'Single')]", + "options": { + "text": "To enable identity (AuthN/AuthZ) for workloads in landing zones, it is recommended to assign specific policies to govern the virtual machines used for Active Directory domain controllers.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/identity-and-access-management", + "style": "Info" + } + }, + { + "name": "esIdentity", + "type": "Microsoft.Common.OptionsGroup", + "label": "Assign recommended policies to govern identity and domain controllers", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, Azure Policy will be assigned at the scope to govern your identity resources.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esIdentitySubSection", + "type": "Microsoft.Common.Section", + "label": "Identity subscription", + "elements": [ + { + "type":"Microsoft.Common.SubscriptionSelector", + "name": "esIdentitySub", + "label": "Management subscription" + } + ], + "visible": "[and(equals(steps('esIdentityGoalState').esIdentity,'Yes'), not(equals(steps('lzSettings').subOrgsOption, 'Single')))]" + }, + { + "name": "identitypolicies", + "type": "Microsoft.Common.TextBlock", + "visible": "[equals(steps('esIdentityGoalState').esIdentity,'Yes')]", + "options": { + "text": "Select which of the the recommended policies you will assign to your identity management group.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#policy-driven-governance" + } + } + }, + { + "name": "esIdDenyRdp", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent inbound RDP from internet", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned and prevent inbound RDP from internet", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esIdentityGoalState').esIdentity,'Yes')]" + }, + { + "name": "esIdDenySubnetNsg", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure subnets are associated with NSG", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned to ensure NSGs must be associated with subnets being created", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esIdentityGoalState').esIdentity,'Yes')]" + }, + { + "name": "esIdDenyPublicIp", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent usage of public IP", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned to ensure public IP resources cannot be created", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[and(equals(steps('esIdentityGoalState').esIdentity,'Yes'), not(equals(steps('lzSettings').subOrgsOption, 'Single')))]" + }, + { + "name": "esIdAzBackup", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure Azure VMs (Windows & Linux) are enabled for Azure Backup", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned and enable Azure Backup on all VMs in the landing zones.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esIdentityGoalState').esIdentity,'Yes')]" + }, + { + "name": "esIdentityConnectivity", + "type": "Microsoft.Common.OptionsGroup", + "label": "Create virtual network and connect to the connectivity hub (optional)?", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected for corp landing zones, ARM will connect the subscriptions to the hub virtual network via VNet peering.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[and(and(equals(steps('esIdentityGoalState').esIdentity,'Yes'), not(equals(steps('lzSettings').subOrgsOption, 'Single'))), equals(steps('esIdentityGoalState').esIdentity, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub,'No')))]" + }, + { + "name": "esIdentityCidr", + "type": "Microsoft.Common.TextBox", + "label": "Virtual network address space", + "placeholder": "", + "defaultValue": "10.110.0.0/24", + "toolTip": "The virtual network's address space, specified as one address prefixes in CIDR notation (e.g. 192.168.1.0/24)", + "constraints": { + "required": true, + "validationMessage": "The virtual network's address space, specified as one address prefixes in CIDR notation (e.g. 192.168.1.0/24)." + }, + "visible": "[and(equals(steps('esIdentityGoalState').esIdentityConnectivity, 'Yes'), not(equals(steps('esConnectivityGoalState').esHub,'No')))]" + } + ] + }, + { + "name": "lzGoalState", + "label": "Landing zone configuration", + "subLabel": { + "preValidation": "", + "postValidation": "" + }, + "bladeTitle": "lzGs", + "elements": [ + { + "name": "infoBox1", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "text": "You can optionally provide subscriptions for your first landing zones for both 'online' and 'corp' and assign recommended policies that will ensure workloads will be secure, monitored, and protected according to best practices.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#policy-driven-governance", + "style": "Info" + } + }, + { + "name": "corpText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Select the subscriptions you want to move to corp management group.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#subscription-democratization" + } + } + }, + { + "name": "esLzConnectivity", + "type": "Microsoft.Common.OptionsGroup", + "label": "Connect corp landing zones to the connectivity hub (optional)?", + "defaultValue": "No", + "toolTip": "If 'Yes' is selected for corp landing zones, ARM will connect the subscriptions to the hub virtual network via VNet peering.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[or(equals(steps('esConnectivityGoalState').esHub, 'nva'), equals(steps('esConnectivityGoalState').esHub, 'vhub'))]" + }, + { + "name": "lzCorpSubsApi", + "type": "Microsoft.Solutions.ArmApiControl", + "request": { + "method": "GET", + "path": "subscriptions?api-version=2020-01-01" + } + }, + { + "name": "esCorpLzSub", + "type": "Microsoft.Common.DropDown", + "label": "Corp landing zone subscriptions (optional)", + "toolTip": "", + "multiselect": true, + "selectAll": true, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[or(or(equals(steps('lzGoalState').esLzConnectivity, 'No'), equals(steps('esConnectivityGoalState').esHub, 'No')), equals(steps('esConnectivityGoalState').esHub, 'vwan'), equals(steps('lzGoalState').esLzConnectivity, 'No'))]", + "constraints": { + "allowedValues": "[map(steps('lzGoalState').lzCorpSubsApi.value, (sub) => parse(concat('{\"label\":\"', sub.displayName, '\",\"description\":\"', sub.subscriptionId, '\",\"value\":\"', toLower(sub.subscriptionId), '\"}')) )]", + "required": false + } + }, + { + "name": "lzConnectedSubs", + "type": "Microsoft.Common.EditableGrid", + "ariaLabel": "Add existing subscriptions into the management group landing zone and provide address space for virtual network peering", + "label": "Corp connected landing zone subscriptions (optional)", + "visible": "[equals(steps('lzGoalState').esLzConnectivity, 'Yes')]", + "constraints": { + "width": "Full", + "rows": { + "count": { + "min": 1, + "max": 10 + } + }, + "columns": [ + { + "id": "subs", + "header": "Subscription", + "width": "1fr", + "element": { + "name": "esLzConnectedSub", + "type": "Microsoft.Common.DropDown", + "label": "Landing zone subscription", + "toolTip": "", + "multiselect": false, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": false, + "constraints": { + "allowedValues": "[map(steps('lzGoalState').lzSubsApi.value, (sub) => parse(concat('{\"label\":\"', sub.displayName, '\",\"description\":\"', sub.subscriptionId, '\",\"value\":\"', toLower(sub.subscriptionId), '\"}')) )]", + "required": false + } + } + }, + { + "id": "addresses", + "header": "Virtual Network Address space", + "width": "1fr", + "element": { + "type": "Microsoft.Common.TextBox", + "placeholder": "Ensure there are no overlapping IP addresses!", + "constraints": { + "required": true, + "validations": [ + { + "message": "Only CIDR notation is allowed, and address space must be unique." + } + ] + } + } + } + ] + } + }, + { + "name": "lzSubsApi", + "type": "Microsoft.Solutions.ArmApiControl", + "request": { + "method": "GET", + "path": "subscriptions?api-version=2020-01-01" + } + }, + { + "name": "onlineText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Select the subscriptions you want to move to online management group.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#subscription-democratization" + } + } + }, + { + "name": "lzOnlineSubsApi", + "type": "Microsoft.Solutions.ArmApiControl", + "request": { + "method": "GET", + "path": "subscriptions?api-version=2020-01-01" + } + }, + { + "name": "esOnlineLzSub", + "type": "Microsoft.Common.DropDown", + "label": "Online landing zone subscriptions (optional)", + "toolTip": "", + "multiselect": true, + "selectAll": true, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": true, + "constraints": { + "allowedValues": "[map(steps('lzGoalState').lzOnlineSubsApi.value,(sub) => parse(concat('{\"label\":\"',sub.displayName,'\",\"description\":\"',sub.subscriptionId,'\",\"value\":\"',toLower(sub.subscriptionId),'\"}')))]", + "required": false + } + }, + { + "name": "azMonText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Select which of the the recommended policies you will assign to your landing zones.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#policy-driven-governance" + } + } + }, + { + "name": "esLzDdoS", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable DDoS Protection Standard", + "defaultValue": "Yes (recommended)", + "visible": "[and(not(equals(steps('esConnectivityGoalState').esHub,'No')),equals(steps('esConnectivityGoalState').esDdoS,'Yes'))]", + "toolTip": "If 'Yes' is selected when also adding a connectivity subscription earlier, DDoS Protection Standard will be enabled.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esLzPrivateLink", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent usage of Public Endpoints for Azure PaaS services in the corp connected landing zones", + "defaultValue": "Yes (recommended)", + "visible": true, + "toolTip": "If 'Yes' is selected then Azure Policy will prevent PaaS resources to use public endpoints.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esPrivateDnsZones", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure private endpoints to Azure PaaS services are integrated with Azure Private DNS Zones in the corp connected landing zones", + "defaultValue": "Yes (recommended)", + "visible": "[equals(steps('esConnectivityGoalState').esPrivateDns, 'Yes')]", + "toolTip": "If 'Yes' is selected then Azure Policy will ensure private endpoints to Azure PaaS services are integrated with Azure Private DNS Zones in the connectivity subscription on behalf of the users.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esEncryptionInTransit", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure encryption in transit is enabled for PaaS services", + "defaultValue": "Yes (recommended)", + "visible": true, + "toolTip": "If 'Yes' is selected then Azure Policy will ensure PaaS resources uses TLS and SSL.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esVmMonitoring", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure Azure VMs (Windows & Linux) are being monitored", + "defaultValue": "Yes (recommended)", + "toolTip": "Enabling this Azure Policy will ensure that every virtual machine (Windows, Linux, including Azure Arc enabled servers) are onboarded to Azure Monitor and Security", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').esLogAnalytics,'Yes')]" + }, + { + "name": "esVmssMonitoring", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure Azure VMSS (Windows & Linux) are being monitored", + "defaultValue": "Yes (recommended)", + "toolTip": "Enabling this Azure Policy will ensure that every virtual machine scale set (Windows & Linux) are onboarded to Azure Monitor and Security", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').esLogAnalytics,'Yes')]" + }, + { + "name": "esAksPolicy", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Kubernetes (AKS) for Azure Policy", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continous compliance", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esAksPriv", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent privileged containers in Kubernetes clusters", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, policy will be assigned to prevent privileged containers in AKS", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esAksNoPriv", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent privileged escalation in Kubernetes clusters", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, policy will be assigned to prevent privileged escalations in AKS", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esAksIngress", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure HTTPS ingress is enforced in Kubernetes clusters", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, HTTPS ingress will be required in AKS", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esAzBackup", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure Azure VMs (Windows & Linux) are enabled for Azure Backup", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned and enable Azure Backup on all VMs in the landing zones.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esDenyRdp", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent inbound RDP from internet", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned and prevent inbound RDP from internet", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esNsg", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure subnets are associated with NSG", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned to ensure NSGs must be associated with subnets being created", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esIpForwarding", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent IP forwarding", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned and prevent IP forwarding", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esSqlEncryption", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure Azure SQL is enabled with transparent data encryption", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continous compliance", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esSqlAudit", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure auditing is enabled on Azure SQL", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned to ensure auditing is enabled on Azure SQLs", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esHttpsStorage", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure secure connections (HTTPS) to storage accounts", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned to ensure storage can only be accessed using HTTPS", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + } + ] + } + ] + }, + "outputs": { + "parameters": { + "subnetMaskForGw": "[steps('esConnectivityGoalState').esAddressVpnOrEr]", + "subnetMaskForAzFw": "[steps('esConnectivityGoalState').esAddressFw]", + "enableErGw": "[steps('esConnectivityGoalState').esErGw]", + "enableVpnGw": "[steps('esConnectivityGoalState').esVpnGw]", + "enableHub": "[steps('esConnectivityGoalState').esHub]", + "enableDdoS": "[steps('esConnectivityGoalState').esDdoS]", + "connectivitySubscriptionId": "[if(not(equals(steps('esConnectivityGoalState').esNwSubSection.esNwSub.subscriptionId,steps('esGoalState').esMgmtSubSection.esMgmtSub.subscriptionId)),steps('esConnectivityGoalState').esNwSubSection.esNwSub.subscriptionId,'')]", + "enableAzFw": "[steps('esConnectivityGoalState').esAzFw]", + "enableAzFwDnsProxy": "[steps('esConnectivityGoalState').esAzFwDns]", + "addressPrefix": "[steps('esConnectivityGoalState').esAddressHub]", + "location": "[steps('esConnectivityGoalState').esNwLocation]", + "managementSubscriptionId": "[steps('esGoalState').esMgmtSubSection.esMgmtSub.subscriptionId]", + "identitySubscriptionId": "[if(or(not(equals(steps('esIdentityGoalState').esIdentitySubSection.esIdentitySub.subscriptionId,steps('esGoalState').esMgmtSubSection.esMgmtSub.subscriptionId)),not(equals(steps('esIdentityGoalState').esIdentitySubSection.esIdentitySub.subscriptionId,steps('esConnectivityGoalState').esNwSubSection.esNwSub.subscriptionId))),steps('esIdentityGoalState').esIdentitySubSection.esIdentitySub.subscriptionId,'')]", + "onlineLzSubscriptionId": "[if(or(not(contains(steps('lzGoalState').esOnlineLzSub,steps('esGoalState').esMgmtSubSection.esMgmtSub.subscriptionId)),not(contains(steps('lzGoalState').esOnlineLzSub,steps('esConnectivityGoalState').esNwSubSection.esNwSub.subscriptionId))),steps('lzGoalState').esOnlineLzSub,'')]", + "corpLzSubscriptionId": "[if(or(not(contains(steps('lzGoalState').esCorpLzSub,steps('esGoalState').esMgmtSubSection.esMgmtSub.subscriptionId)),not(contains(steps('lzGoalState').esCorpLzSub,steps('esConnectivityGoalState').esNwSubSection.esNwSub.subscriptionId))),steps('lzGoalState').esCorpLzSub,'')]", + "enableLogAnalytics": "[steps('esGoalState').esLogAnalytics]", + "denyRdpForIdentity": "[steps('esIdentityGoalState').esIdDenyRdp]", + "denySubnetWithoutNsgForIdentity": "[steps('esIdentityGoalState').esIdDenySubnetNsg]", + "denyPipForIdentity": "[steps('esIdentityGoalState').esIdDenyPublicIp]", + "enableVmBackupForIdentity": "[steps('esIdentityGoalState').esIdAzBackup]", + "enableAsc": "[steps('esGoalState').esAsc]", + "emailContactAsc": "[steps('esGoalState').esAscEmail]", + "enableAscForServers": "[steps('esGoalState').esAscVms]", + "enableAscForAppServices": "[steps('esGoalState').esAscApps]", + "enableAscForStorage": "[steps('esGoalState').esAscStorage]", + "enableAscForSql": "[steps('esGoalState').esAscSql]", + "enableAscForSqlOnVm": "[steps('esGoalState').esAscSqlOnVm]", + "enableAscForKeyVault": "[steps('esGoalState').esAscKeyVault]", + "enableAscForArm": "[steps('esGoalState').esAscArm]", + "enableAscForDns": "[steps('esGoalState').esAscDns]", + "enableAscForKubernetes": "[steps('esGoalState').esAscKubernetes]", + "enableAscForRegistries": "[steps('esGoalState').esAscRegistries]", + "enableSecuritySolution": "[steps('esGoalState').esSecuritySolution]", + "enableAgentHealth": "[steps('esGoalState').esAgentSolution]", + "enableChangeTracking": "[steps('esGoalState').esChangeTracking]", + "enableUpdateMgmt": "[steps('esGoalState').esUpdateMgmt]", + "enableActivityLog": "[steps('esGoalState').esActivityLog]", + "enableVmInsights": "[steps('esGoalState').esVmInsights]", + "enableServiceMap": "[steps('esGoalState').esServiceMap]", + "enableSqlAssessment": "[steps('esGoalState').esSqlAssessment]", + "enterpriseScaleCompanyPrefix": "[steps('lzSettings').esMgmtGroup]", + "enableSqlAudit": "[steps('lzGoalState').esSqlAudit]", + "enableSqlEncryption": "[steps('lzGoalState').esSqlEncryption]", + "enableVmBackup": "[steps('lzGoalState').esAzBackup]", + "enableLzDdoS": "[steps('lzGoalState').esLzDdoS]", + "denyPublicEndpoints": "[steps('lzGoalState').esLzPrivateLink]", + "enableEncryptionInTransit": "[steps('lzGoalState').esEncryptionInTransit]", + "enableAksPolicy": "[steps('lzGoalState').esAksPolicy]", + "denyAksPrivileged": "[steps('lzGoalState').esAksPriv]", + "denyAksPrivilegedEscalation": "[steps('lzGoalState').esAksNoPriv]", + "denyHttpIngressForAks": "[steps('lzGoalState').esAksIngress]", + "denyRdp": "[steps('lzGoalState').esDenyRdp]", + "enableStorageHttps": "[steps('lzGoalState').esHttpsStorage]", + "denyIpForwarding": "[steps('lzGoalState').esIpForwarding]", + "denySubnetWithoutNsg": "[steps('lzGoalState').esNsg]", + "retentionInDays": "[string(steps('esGoalState').esLogRetention)]", + "enableVmMonitoring": "[steps('lzGoalState').esVmMonitoring]", + "enableVmssMonitoring": "[steps('lzGoalState').esVmssMonitoring]", + "vpnOrErZones": "[steps('esConnectivityGoalState').esGwRegionalOrAz]", + "firewallZones": "[steps('esConnectivityGoalState').esFwAz]", + "paToken": "[steps('lzDevOps').esPaToken]", + "principalId": "[steps('lzDevOps').spnSection.esServicePrincipal.objectId]", + "principalSecret": "[steps('lzDevOps').spnSection.esServicePrincipal.password]", + "gitHubUserNameOrOrg": "[steps('lzDevOps').esGit]", + "appId": "[steps('lzDevOps').spnSection.esServicePrincipal.appId]", + "enableAzOps": "[steps('lzDevOps').cicdOption]", + "subscriptionId": "[steps('esGoalState').esMgmtSubSection.esMgmtSub.subscriptionId]", + "repositoryName": "[steps('lzDevOps').esGitRepoName]", + "gwRegionalOrAz": "[steps('esConnectivityGoalState').esGwRegionalOrAz]", + "gwAzSku": "[steps('esConnectivityGoalState').esGwAzSku]", + "gwRegionalSku": "[if(empty(steps('esConnectivityGoalState').esGwRegionalSku), steps('esConnectivityGoalState').esGwNoAzSku, steps('esConnectivityGoalState').esGwRegionalSku)]", + "erRegionalOrAz": "[steps('esConnectivityGoalState').esErRegionalOrAz]", + "erAzSku": "[steps('esConnectivityGoalState').esErAzSku]", + "erRegionalSku": "[if(empty(steps('esConnectivityGoalState').esErRegionalSku), steps('esConnectivityGoalState').esErNoAzSku, steps('esConnectivityGoalState').esErRegionalSku)]", + "singlePlatformSubscriptionId": "[steps('lzSettings').esSingleSubSection.esSingleSub.subscriptionId]", + "expressRouteScaleUnit": "[steps('esConnectivityGoalState').esVwanErScaleUnits]", + "vpnGateWayScaleUnit": "[steps('esConnectivityGoalState').esVwanGwScaleUnits]", + "enablePrivateDnsZones": "[steps('esConnectivityGoalState').esPrivateDns]", + "enablePrivateDnsZonesForLzs": "[steps('lzGoalState').esPrivateDnsZones]", + "identityAddressPrefix": "[steps('esIdentityGoalState').esIdentityCidr]", + "corpConnectedLzSubscriptionId": "[if(or(not(contains(steps('lzGoalState').esCorpLzSub,steps('esGoalState').esMgmtSubSection.esMgmtSub.subscriptionId)),not(contains(steps('lzGoalState').esCorpLzSub,steps('esConnectivityGoalState').esNwSubSection.esNwSub.subscriptionId))),steps('lzGoalState').lzConnectedSubs,'')]" + }, + "kind": "Tenant", + "location": "[steps('basics').resourceScope.location.name]" + } + } +} \ No newline at end of file diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json new file mode 100644 index 0000000000..8591af2dc6 --- /dev/null +++ b/eslzArm/eslzArm.json @@ -0,0 +1,3404 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "enterpriseScaleCompanyPrefix": { + "type": "string", + "maxLength": 10, + "metadata": { + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." + } + }, + "managementSubscriptionId": { + "type": "string", + "defaultValue": "", + "maxLength": 36, + "metadata": { + "description": "Provide the subscription id of an existing, empty subscription you want to dedicate for management. If you don't want to bring a subscription, leave this parameter empty as is." + } + }, + "connectivitySubscriptionId": { + "type": "string", + "defaultValue": "", + "maxLength": 36, + "metadata": { + "description": "Provide the subscription id of an existing, empty subscription you want to dedicate for networking." + } + }, + "identitySubscriptionId": { + "type": "string", + "defaultValue": "", + "maxLength": 36, + "metadata": { + "description": "Provide the subscription id of an existing, empty subscription you want to dedicate for identity." + } + }, + "denySubnetWithoutNsgForIdentity": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "denyRdpForIdentity": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "denyPipForIdentity": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "enableVmBackupForIdentity": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "onlineLzSubscriptionId": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Provide the subscription ids for existing, empty subscriptions you want to move in as your first online landing zones." + } + }, + "corpLzSubscriptionId": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Provide the subscription ids for existing, empty subscriptions you want to move in as your first corp landing zones." + } + }, + "corpConnectedLzSubscriptionId": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Provide the subscription ids for existing, empty subscriptions you want to move in as your first corp landing zones and connect to virtual networking hub." + } + }, + "enableLogAnalytics": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ], + "metadata": { + "description": "If 'Yes' is selected when also adding a subscription for management, ARM will assign two policies to enable auditing in your environment, into the Log Analytics workspace for platform monitoring. If 'No', it will be ignored." + } + }, + "retentionInDays": { + "type": "string", + "defaultValue": "" + }, + "enableAsc": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ], + "metadata": { + "description": "If 'Yes' is selected when also adding a subscription for management, ARM will assign two policies to enable auditing in your environment, into the Log Analytics workspace for platform monitoring. If 'No', it will be ignored." + } + }, + "enableAksPolicy": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "emailContactAsc": { + "type": "string", + "metadata": { + "description": "Email address for Azure Security Center contact details." + }, + "defaultValue": "" + }, + "enableAscForServers": { + "type": "string", + "defaultValue": "Free", + "allowedValues": [ + "Standard", + "Free" + ] + }, + "enableAscForAppServices": { + "type": "string", + "defaultValue": "Free", + "allowedValues": [ + "Standard", + "Free" + ] + }, + "enableAscForStorage": { + "type": "string", + "defaultValue": "Free", + "allowedValues": [ + "Standard", + "Free" + ] + }, + "enableAscForSql": { + "type": "string", + "defaultValue": "Free", + "allowedValues": [ + "Standard", + "Free" + ] + }, + "enableAscForSqlOnVm": { + "type": "string", + "defaultValue": "Free", + "allowedValues": [ + "Standard", + "Free" + ] + }, + "enableAscForKeyVault": { + "type": "string", + "defaultValue": "Free", + "allowedValues": [ + "Standard", + "Free" + ] + }, + "enableAscForArm": { + "type": "string", + "defaultValue": "Free", + "allowedValues": [ + "Standard", + "Free" + ] + }, + "enableAscForDns": { + "type": "string", + "defaultValue": "Free", + "allowedValues": [ + "Standard", + "Free" + ] + }, + "enableAscForKubernetes": { + "type": "string", + "defaultValue": "Free", + "allowedValues": [ + "Standard", + "Free" + ] + }, + "enableAscForRegistries": { + "type": "string", + "defaultValue": "Free", + "allowedValues": [ + "Standard", + "Free" + ] + }, + "denyAksPrivileged": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "denyAksPrivilegedEscalation": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "denyHttpIngressForAks": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "enableVmMonitoring": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ], + "metadata": { + "description": "If 'Yes' is selected, policy will be assigned to enforce VM monitoring." + } + }, + "enableVmssMonitoring": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ], + "metadata": { + "description": "If 'Yes' is selected, policy will be assigned to enforce VMSS monitoring." + } + }, + "enableSecuritySolution": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "enableEncryptionInTransit": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "enableAgentHealth": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "enableChangeTracking": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "enableUpdateMgmt": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "Yes" + }, + "enableActivityLog": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "Yes" + }, + "enableVmInsights": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "Yes" + }, + "enableServiceMap": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "Yes" + }, + "enableSqlAssessment": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "Yes" + }, + "enableSqlAudit": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "enableSqlEncryption": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "enableVmBackup": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "denyRdp": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "denyPublicEndpoints": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "enableStorageHttps": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "enableLzDdoS": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "denyIpForwarding": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "denySubnetWithoutNsg": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "addressPrefix": { + "type": "string", + "defaultValue": "" + }, + "enableVpnGw": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "enableErGw": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "location": { + "type": "string", + "defaultValue": "[deployment().location]" + }, + "enableHub": { + "type": "string", + "allowedValues": [ + "vhub", + "vwan", + "nva", + "No" + ], + "defaultValue": "No" + }, + "enableAzFw": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "enableAzFwDnsProxy": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "enableDdoS": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "enablePrivateDnsZones": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "enablePrivateDnsZonesForLzs": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "subnetMaskForAzFw": { + "type": "string", + "defaultValue": "" + }, + "subnetMaskForGw": { + "type": "string", + "defaultValue": "" + }, + "gwRegionalOrAz": { + "type": "string", + "defaultValue": "" + }, + "gwAzSku": { + "type": "string", + "defaultValue": "" + }, + "gwRegionalSku": { + "type": "string", + "defaultValue": "" + }, + "erRegionalOrAz": { + "type": "string", + "defaultValue": "" + }, + "erAzSku": { + "type": "string", + "defaultValue": "" + }, + "erRegionalSku": { + "type": "string", + "defaultValue": "" + }, + "firewallZones": { + "type": "array", + "defaultValue": [] + }, + "paToken": { + "type": "securestring", + "defaultValue": "" + }, + "principalId": { + "type": "array", + "defaultValue": [] + }, + "appId": { + "type": "string", + "defaultValue": "" + }, + "principalSecret": { + "type": "securestring", + "defaultValue": "" + }, + "gitHubUserNameOrOrg": { + "type": "string", + "defaultValue": "" + }, + "repositoryName": { + "type": "string", + "defaultValue": "" + }, + "enableAzOps": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "subscriptionId": { + "type": "string", + "defaultValue": "", + "maxLength": 36 + }, + "singlePlatformSubscriptionId": { + "type": "string", + "defaultValue": "", + "maxLength": 36 + }, + "expressRouteScaleUnit": { + "type": "string", + "defaultValue": "1" + }, + "vpnGateWayScaleUnit": { + "type": "string", + "defaultValue": "1" + }, + "identityAddressPrefix": { + "type": "string", + "defaultValue": "" + } + }, + "variables": { + // Declaring the prescriptive management group structure that will be used in the scope construction + "mgmtGroups": { + "eslzRoot": "[parameters('enterpriseScaleCompanyPrefix')]", + "platform": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'platform')]", + "management": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'management')]", + "connectivity": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'connectivity')]", + "identity": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'identity')]", + "lzs": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'landingzones')]", + "corp": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'corp')]", + "online": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'online')]" + }, + // Declaring scopes that will be used for optional deployments, such as platform components (monitoring, networking, identity), policy assignments, subscription placement etc. + "scopes": { + "eslzRootManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').eslzRoot)]", + "platformManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').platform)]", + "managementManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').management)]", + "connectivityManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').connectivity)]", + "identityManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').identity)]", + "lzsManaegmentGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').lzs)]", + "corpManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').corp)]", + "onlineManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').online)]" + }, + // Declaring all required deployment uri's used for deployments of composite ARM templates for ESLZ + "deploymentUris": { + "managementGroups": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/mgmtGroupStructure/mgmtGroups.json')]", + "managementGroupsLite": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/mgmtGroupStructure/mgmtGroupsLite.json')]", + "policyDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyDefinitions/policies.json')]", + "vnetConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/hubspoke-connectivity.json')]", + "vwanConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/vwan-connectivity.json')]", + "nvaConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/nvahubspoke-connectivity.json')]", + "subscriptionPlacement": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/subscriptionOrganization/subscriptionOrganization.json')]", + "monitoring": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/logAnalyticsWorkspace.json')]", + "azOpsRBAC": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/roleAssignments/azOpsRoleAssignment.json')]", + "resourceGroup": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/resourceGroup.json')]", + "ddosProtection": "[uri(deployment().properties.templateLink.uri, 'resourceGroupTemplates/ddosProtection.json')]", + "azOpsSetup": "[uri(deployment().properties.templateLink.uri, 'resourceGroupTemplates/azOpsArm.json')]", + "logAnalyticsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json')]", + "monitoringSolutions": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/logAnalyticsSolutions.json')]", + "asbPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json')]", + "resourceDiagnosticsInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json')]", + "activityDiagnosticsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json')]", + "ascConfigPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ASCConfigPolicyAssignment.json')]", + "azVmMonitorPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMMonitoringPolicyAssignment.json')]", + "azVmssMonitorPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json')]", + "azBackupLzPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMBackupPolicyAssignment.json')]", + "azBackupIdentityPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMBackupPolicyAssignment.json')]", + "azPolicyForAksPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-AksPolicyPolicyAssignment.json')]", + "aksPrivEscalationPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json')]", + "aksPrivilegedPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json')]", + "tlsSslPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json')]", + "aksHttpsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json')]", + "ipFwdPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-IPForwardingPolicyAssignment.json')]", + "publicEndpointPolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyDefinitions/DENY-PublicEndpointsPolicySetDefinition.json')]", + "publicEndpointPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-PublicEndpointPolicyAssignment.json')]", + "privateDnsZonePolicySetDefinition": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyDefinitions/DINE-PrivateDNSZonesPolicySetDefinition.json')]", + "privateDnsZonePolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-PrivateDNSZonesPolicyAssignment.json')]", + "pipPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-PublicIpAddressPolicyAssignment.json')]", + "rdpFromInternetPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-RDPFromInternetPolicyAssignment.json')]", + "storageHttpsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-StorageWithoutHttpsPolicyAssignment.json')]", + "subnetNsgPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-SubnetWithoutNsgPolicyAssignment.json')]", + "sqlAuditPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-SQLAuditingPolicyAssignment.json')]", + "sqlEncryptionPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-SQLAuditingPolicyAssignment.json')]", + "ddosPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/MODIFY-DDoSPolicyAssignment.json')]", + "corpVnetPeering": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/vnetPeering.json')]", + "corpVwanPeering": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/vnetPeeringVwan.json')]", + "privateDnsZones": "[uri(deployment().properties.templateLink.uri, 'resourceGroupTemplates/privateDnsZones.json')]", + "roleAssignments": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/roleAssignments/roleAssignment.json')]" + }, + // Declaring deterministic deployment names + "deploymentSuffix": "[concat('-', deployment().location, guid(parameters('enterpriseScaleCompanyPrefix')))]", + "deploymentNames": { + "mgmtGroupDeploymentName": "[take(concat('EntScale-Mgs', variables('deploymentSuffix')), 64)]", + "mgmtSubscriptionPlacement": "[take(concat('EntScale-MgmtSub', variables('deploymentSuffix')), 64)]", + "corpPeeringDeploymentName": "[take(concat('EntScale-CorpPeering', variables('deploymentSuffix')), 60)]", + "connectivitySubscriptionPlacement": "[take(concat('EntScale-ConnectivitySub', variables('deploymentSuffix')), 64)]", + "identitySubscriptionPlacement": "[take(concat('EntScale-IdentitySub', variables('deploymentSuffix')), 64)]", + "policyDeploymentName": "[take(concat('EntScale-Policy', variables('deploymentSuffix')), 64)]", + "azOpsRbacDeploymentName": "[take(concat('EntScale-AzOpsRbac', variables('deploymentSuffix')), 64)]", + "azOpsRgDeploymentName": "[take(concat('EntScale-AzOpsRg', variables('deploymentSuffix')), 64)]", + "ddosRgDeploymentName": "[take(concat('EntScale-DDoSRg', variables('deploymentSuffix')), 64)]", + "ddosDeploymentName": "[take(concat('EntScale-DDoS', variables('deploymentSuffix')), 64)]", + "ddosHubPolicyDeploymentName": "[take(concat('EntScale-DDoSHubPolicy', variables('deploymentSuffix')), 64)]", + "ddosLzPolicyDeploymentName": "[take(concat('EntScale-DDoSLZPolicy', variables('deploymentSuffix')), 64)]", + "azOpsSetupDeploymentName": "[take(concat('EntScale-AzOpsSetup', variables('deploymentSuffix')), 64)]", + "monitoringDeploymentName": "[take(concat('EntScale-Monitoring', variables('deploymentSuffix')), 64)]", + "logAnalyticsPolicyDeploymentName": "[take(concat('EntScale-LAPolicy', variables('deploymentSuffix')), 64)]", + "monitoringSolutionsDeploymentName": "[take(concat('EntScale-Solutions', variables('deploymentSuffix')), 64)]", + "asbPolicyDeploymentName": "[take(concat('EntScale-ASB', variables('deploymentSuffix')), 64)]", + "resourceDiagnosticsPolicyDeploymentName": "[take(concat('EntScale-ResourceDiagnostics', variables('deploymentSuffix')), 64)]", + "activityDiagnosticsPolicyDeploymentName": "[take(concat('EntScale-ActivityDiagnostics', variables('deploymentSuffix')), 64)]", + "ascPolicyDeploymentName": "[take(concat('EntScale-ASC', variables('deploymentSuffix')), 64)]", + "vnetConnectivityHubDeploymentName": "[take(concat('EntScale-HubSpoke', variables('deploymentSuffix')), 64)]", + "vwanConnectivityHubDeploymentName": "[take(concat('EntScale-VWanHub', variables('deploymentSuffix')), 64)]", + "nvaConnectivityHubDeploymentName": "[take(concat('EntScale-NVAHub', variables('deploymentSuffix')), 64)]", + "azVmMonitorPolicyDeploymentName": "[take(concat('EntScale-AzVmMonitor', variables('deploymentSuffix')), 64)]", + "azVmssMonitorPolicyDeploymentName": "[take(concat('EntScale-AzVmssMonitor', variables('deploymentSuffix')), 64)]", + "azBackupLzPolicyDeploymentName": "[take(concat('EntScale-AzBackupLz', variables('deploymentSuffix')), 64)]", + "azBackupIdentityPolicyDeploymentName": "[take(concat('EntScale-AzBackupIdentity', variables('deploymentSuffix')), 64)]", + "azPolicyForAksPolicyDeploymentName": "[take(concat('EntScale-AksPolicy', variables('deploymentSuffix')), 64)]", + "aksPrivEscalationPolicyDeploymentName": "[take(concat('EntScale-AksPrivEsc', variables('deploymentSuffix')), 64)]", + "aksHttpsPolicyDeploymentName": "[take(concat('EntScale-AksHttps', variables('deploymentSuffix')), 64)]", + "aksPrivilegedPolicyDeploymentName": "[take(concat('EntScale-AksPrivileged', variables('deploymentSuffix')), 64)]", + "tlsSslPolicyDeploymentName": "[take(concat('EntScale-TLSSSL', variables('deploymentSuffix')), 64)]", + "ipFwPolicyDeploymentName": "[take(concat('EntScale-IPFwd', variables('deploymentSuffix')), 64)]", + "publicEndpointPolicyDeploymentName": "[take(concat('EntScale-PEndpoint', variables('deploymentSuffix')), 64)]", + "publicEndpointPolicyDefinitionName": "[take(concat('EntScale-Policy-PEndpoints', variables('deploymentSuffix')), 64)]", + "privateDnsPolicyDefinitionName": "[take(concat('EntScale-Policy-PrivateDns', variables('deploymentSuffix')), 64)]", + "privateDnsPolicyDeploymentName": "[take(concat('EntScale-PrivDNSAssignment', variables('deploymentSuffix')), 64)]", + "pipPolicyDeploymentName": "[take(concat('EntScale-PIP', variables('deploymentSuffix')), 64)]", + "rdpFromInternetPolicyDeploymentName": "[take(concat('EntScale-RDP', variables('deploymentSuffix')), 64)]", + "rdpFromInternetIdentityPolicyDeploymentName": "[take(concat('EntScale-RDPIdentity', variables('deploymentSuffix')), 64)]", + "storageHttpsPolicyDeploymentName": "[take(concat('EntScale-StorageHttps', variables('deploymentSuffix')), 64)]", + "subnetNsgPolicyDeploymentName": "[take(concat('EntScale-SubnetNsg', variables('deploymentSuffix')), 64)]", + "subnetNsgIdentityPolicyDeploymentName": "[take(concat('EntScale-SubnetNsgIdentity', variables('deploymentSuffix')), 64)]", + "sqlAuditPolicyDeploymentName": "[take(concat('EntScale-SqlAudit', variables('deploymentSuffix')), 64)]", + "sqlEncryptionPolicyDeploymentName": "[take(concat('EntScale-SqlEncrypt', variables('deploymentSuffix')), 64)]", + "onlineLzSubs": "[take(concat('EntScale-OnlineLzs', variables('deploymentSuffix')), 60)]", + "corpLzSubs": "[take(concat('EntScale-CorpLzs', variables('deploymentSuffix')), 60)]", + "corpConnectedMoveLzSubs": "[take(concat('EntScale-CorpConnLzs', variables('deploymentSuffix')), 50)]", + "corpConnectedLzSubs": "[take(concat('EntScale-CorpPeering', variables('deploymentSuffix')), 50)]", + "privateDnsZoneRgDeploymentName": "[take(concat('EntScale-PrivDNSRG', variables('deploymentSuffix')), 64)]", + "privateDnsZonesDeploymentName": "[take(concat('EntScale-PrivDNSZones', variables('deploymentSuffix')), 35)]", + "dnsZoneRoleAssignmentDeploymentName": "[take(concat('EntScale-DNSZoneRole', variables('deploymentSuffix')), 64)]", + "identityPeeringDeploymentName": "[take(concat('EntScale-IDPeering', variables('deploymentSuffix')), 64)]", + "identityVwanPeeringDeploymentName": "[take(concat('EntScale-IDVwanPeering', variables('deploymentSuffix')), 64)]", + "corpConnectedLzVwanSubs": "[take(concat('EntScale-CorpConnLzsVwan', variables('deploymentSuffix')), 50)]" + }, + "esLiteDeploymentNames": { + "mgmtGroupLiteDeploymentName": "[take(concat('EntScale-MgsLite', variables('deploymentSuffix')), 64)]", + "rdpFromInternetIdentityLitePolicyDeploymentName": "[take(concat('EntScale-RDPIdentity', variables('deploymentSuffix')), 64)]", + "azBackupIdentityLitePolicyDeploymentName": "[take(concat('EntScale-AzBackupIdentity', variables('deploymentSuffix')), 64)]", + "subnetNsgIdentityLitePolicyDeploymentName": "[take(concat('EntScale-SubnetNsgIdentity', variables('deploymentSuffix')), 64)]", + "monitoringLiteDeploymentName": "[take(concat('EntScale-MonitoringLite', variables('deploymentSuffix')), 64)]", + "logAnalyticsLitePolicyDeploymentName": "[take(concat('EntScale-LAPolicyLite', variables('deploymentSuffix')), 64)]", + "monitoringSolutionsLiteDeploymentName": "[take(concat('EntScale-SolutionsLite', variables('deploymentSuffix')), 64)]", + "platformLiteSubscriptionPlacement": "[take(concat('EntScale-PlatformSubLite', variables('deploymentSuffix')), 64)]", + "vnetConnectivityHubLiteDeploymentName": "[take(concat('EntScale-VnetHubLite', variables('deploymentSuffix')), 64)]", + "vwanConnectivityHubLiteDeploymentName": "[take(concat('EntScale-VWanHubLite', variables('deploymentSuffix')), 64)]", + "nvaConnectivityHubLiteDeploymentName": "[take(concat('EntScale-NVAHubLite', variables('deploymentSuffix')), 64)]", + "azOpsSetupLiteDeploymentName": "[take(concat('EntScale-AzOpsSetupLite', variables('deploymentSuffix')), 64)]", + "azOpsRbacLiteDeploymentName": "[take(concat('EntScale-AzOpsRbacLite', variables('deploymentSuffix')), 64)]", + "azOpsRgLiteDeploymentName": "[take(concat('EntScale-AzOpsRgLite', variables('deploymentSuffix')), 64)]", + "ddosRgLiteDeploymentName": "[take(concat('EntScale-DDoSRgLite', variables('deploymentSuffix')), 64)]", + "ddosLiteDeploymentName": "[take(concat('EntScale-DDoSLite', variables('deploymentSuffix')), 64)]", + "ddosHubLitePolicyDeploymentName": "[take(concat('EntScale-DDoSHubPolicyLite', variables('deploymentSuffix')), 64)]", + "privateDnsZoneRgLiteDeploymentName": "[take(concat('EntScale-PrivDNSRGLite', variables('deploymentSuffix')), 64)]", + "privateDnsZonesLiteDeploymentName": "[take(concat('EntScale-PrivDNSLite', variables('deploymentSuffix')), 35)]" + + }, + // Declaring deterministic names for Resource Groups that will be created for platform resources + "platformRgNames": { + "mgmtRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-mgmt')]", + "azOpsRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-azops')]", + "connectivityRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnethub-', parameters('location'))]", + "ddosRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-ddos')]", + "privateDnsRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-privatedns')]", + "identityVnetRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('location'))]", + "lzVnetRg": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('location'))]" + }, + // Declaring deterministic names for platform resources that will be created + "platformResourceNames": { + "logAnalyticsWorkspace": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-law')]", + "automationAccount": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-aauto')]", + "vpnGwName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vpngw-', parameters('location'))]", + "erGwName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-ergw-', parameters('location'))]", + "ddosName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-ddos-', parameters('location'))]", + "azFwPolicyName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-azfwpolicy-', parameters('location'))]", + "azFwName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-fw-', parameters('location'))]", + "azErGwIpName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-erpip-', parameters('location'))]", + "hubName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-hub-', parameters('location'))]", + "vwanName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vwan-', parameters('location'))]", + "azVpnGwIpName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-gwpip-', parameters('location'))]", + "azFwIpName": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-fwpip-', parameters('location'))]", + "identityVnet": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('location'))]", + "lzVnet": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-vnet-', parameters('location'))]" + }, + // Declaring subscriptionId for AzOps + "azOpsSubscriptionId": "[if(empty(parameters('subscriptionId')), parameters('singlePlatformSubscriptionId'), parameters('subscriptionId'))]", + // Declaring deterministic resourceId's for platform resources that will be created + "singleVsDedicatedMgmtSub": "[if(empty(parameters('managementSubscriptionId')), parameters('singlePlatformSubscriptionId'), parameters('managementSubscriptionId'))]", + "singleVsDedicatedConnectivitySub": "[if(empty(parameters('connectivitySubscriptionId')), parameters('singlePlatformSubscriptionId'), parameters('connectivitySubscriptionId'))]", + "singleVsDedicatedIdentitySub": "[if(empty(parameters('identitySubscriptionId')), parameters('singlePlatformSubscriptionId'), parameters('identitySubscriptionId'))]", + "platformResourceIds": { + "logAnalyticsResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedMgmtSub'), '/resourceGroups/', variables('platformRgNames').mgmtRg, '/providers/Microsoft.OperationalInsights/workspaces/', variables('platformResourceNames').logAnalyticsWorkspace)]", + "automationResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedMgmtSub'), '/resourceGroups/', variables('platformRgNames').mgmtRg, '/providers/Microsoft.Automation/automationAccounts/', variables('platformResourceNames').automationAccount)]", + "ddosProtectionResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').ddosRg, '/providers/Microsoft.Network/ddosProtectionPlans/', variables('platformResourceNames').ddosName)]", + "vNetHubResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').connectivityRg, '/providers/Microsoft.Network/virtualNetworks/', variables('platformResourceNames').hubName)]", + "vWanHubResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').connectivityRg, '/providers/Microsoft.Network/virtualHubs/', variables('platformResourceNames').hubName)]", + "privateDnsRgResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').privateDnsRg)]", + "azFirewallResourceId": "[concat('/subscriptions/', variables('singleVsDedicatedConnectivitySub'), '/resourceGroups/', variables('platformRgNames').connectivityRg, '/providers/Microsoft.Network/azureFirewalls/', variables('platformResourceNames').azFwName)]" + }, + // Declaring deterministic resourceId's for ES Lite platform resources (as they will be consolidated into a single platform subscription) + "deterministicRoleAssignmentGuids": { + "ddosForConnectivity": "[take(guid(concat(parameters('enterpriseScaleCompanyPrefix'), 'ddos')), 10)]", + "backupForIdentity": "[take(guid(concat(parameters('enterpriseScaleCompanyPrefix'), 'idbackup')), 10)]" + }, + "privateDnsZones": [ + "privatelink.azure-automation.net", + "privatelink.database.windows.net", + "privatelink.sql.azuresynapse.net", + "privatelink.blob.core.windows.net", + "privatelink.table.core.windows.net", + "privatelink.queue.core.windows.net", + "privatelink.file.core.windows.net", + "privatelink.web.core.windows.net", + "privatelink.dfs.core.windows.net", + "privatelink.documents.azure.com", + "privatelink.mongo.cosmos.azure.com", + "privatelink.cassandra.cosmos.azure.com", + "privatelink.gremlin.cosmos.azure.com", + "privatelink.postgres.database.azure.com", + "privatelink.mysql.database.azure.com", + "privatelink.mariadb.database.azure.com", + "privatelink.vaultcore.azure.net", + "[concat('privatelink.', parameters('location'), '.azmk8s.io')]", + "privatelink.search.windows.net", + "privatelink.azurecr.io", + "privatelink.azconfig.io", + "[concat('privatelink.', parameters('location'), '.backup.windowsazure.com')]", + "[concat(parameters('location'), '.privatelink.siterecovery.windowsazure.com')]", + "privatelink.servicebus.windows.net", + "privatelink.azure-devices.net", + "privatelink.eventgrid.azure.net", + "privatelink.azurewebsites.net", + "privatelink.api.azureml.ms", + "privatelink.notebooks.azure.net", + "privatelink.service.signalr.net", + "privatelink.monitor.azure.com", + "privatelink.oms.opsinsights.azure.com", + "privatelink.ods.opsinsights.azure.com", + "privatelink.agentsvc.azure-automation.net", + "privatelink.cognitiveservices.azure.com", + "privatelink.afs.azure.net", + "privatelink.datafactory.azure.com", + "privatelink.adf.azure.com", + "privatelink.redis.cache.windows.net" + ], + "roleDefinitions": { + "networkContributor": "4d97b98b-1d4f-4787-a291-c67834d212e7" + } + }, + "resources": [ + /* + The following deployment will create the management group structure for ESLZ and ensure the sustainable, scalable architecture + */ + { + // Creating the ESLZ management group structure + "condition": "[empty(parameters('singlePlatformSubscriptionId'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').mgmtGroupDeploymentName]", + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').managementGroups]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + } + } + } + }, + /* + The following deployments will deploy the required proactive and preventive Azure policies for ESLZ policy driven governance + */ + { + // Deploying ESLZ custom policies. Note: all policies will eventually be moved to built-in policies and codebase will be reduced + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').policyDeploymentName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').policyDefinitions]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + } + } + } + }, + { + // Deploying ESLZ Policy Initiative to prevent usage of public endpoints for PaaS services using built-in policies + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').publicEndpointPolicyDefinitionName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').publicEndpointPolicySetDefinition]" + }, + "parameters": {} + } + }, + { + // Deploying ESLZ Policy Initiative to deploy Private DNS Zones for PaaS services using built-in policies + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').privateDnsPolicyDefinitionName]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').privateDnsZonePolicySetDefinition]" + }, + "parameters": {} + } + }, + { + // One of Azure's untold stories..... + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[concat('preparingToLaunch', copyIndex())]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", + "dependsOn": [ + "[variables('deploymentNames').policyDeploymentName]", + "[variables('deploymentNames').privateDnsPolicyDefinitionName]", + "[variables('deploymentNames').publicEndpointPolicyDefinitionName]" + ], + "copy": { + "batchSize": 1, + "count": 20, + "mode": "Serial", + "name": "policyCompletion" + }, + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [], + "outputs": {} + } + } + }, + /* + The following deployments will organize the dedicated platform subscriptions into their respective management groups + */ + { + // Placing management subscription into dedicated management group + "condition": "[not(empty(parameters('managementSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').mgmtSubscriptionPlacement]", + "location": "[deployment().location]", + "scope": "[variables('scopes').managementManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').management]" + }, + "subscriptionId": { + "value": "[parameters('managementSubscriptionId')]" + } + } + } + }, + { + // Placing connectivity subscription into dedicated management group + "condition": "[not(empty(parameters('connectivitySubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').connectivitySubscriptionPlacement]", + "location": "[deployment().location]", + "scope": "[variables('scopes').connectivityManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').connectivity]" + }, + "subscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + } + } + } + }, + { + // Placing identity subscription into dedicated management group + "condition": "[not(empty(parameters('identitySubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').identitySubscriptionPlacement]", + "location": "[deployment().location]", + "scope": "[variables('scopes').identityManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').identity]" + }, + "subscriptionId": { + "value": "[parameters('identitySubscriptionId')]" + } + } + } + }, + /* + The following deployments will optionally configure the governance, security, and monitoring for the Azure platform and landing zones + */ + { + // Deploying Log Analytics workspace to management subscription if condition is true + "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('managementSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').monitoringDeploymentName]", + "location": "[deployment().location]", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').monitoring]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').mgmtRg]" + }, + "workspaceName": { + "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" + }, + "workspaceRegion": { + "value": "[deployment().location]" + }, + "automationAccountName": { + "value": "[variables('platformResourceNames').automationAccount]" + }, + "automationRegion": { + "value": "[deployment().location]" + }, + "retentionInDays": { + "value": "[parameters('retentionInDays')]" + } + } + } + }, + { + // Deploying Log Analytics solutions to Log Analytics workspace if condition is true + "condition": "[and(and(not(empty(parameters('managementSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes')), equals(parameters('enableLogAnalytics'), 'Yes'), or(or(or(or(or(equals(parameters('enableSecuritySolution'), 'Yes'), equals(parameters('enableAgentHealth'), 'Yes')), equals(parameters('enableChangeTracking'), 'Yes')), equals(parameters('enableUpdateMgmt'), 'Yes'), equals(parameters('enableActivityLog'), 'Yes')), equals(parameters('enableVmInsights'), 'Yes')), equals(parameters('enableServiceMap'), 'Yes'), equals(parameters('enableSqlAssessment'), 'Yes')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').monitoringSolutionsDeploymentName]", + "location": "[deployment().location]", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').monitoringSolutions]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').mgmtRg]" + }, + "workspaceName": { + "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" + }, + "workspaceRegion": { + "value": "[deployment().location]" + }, + "enableSecuritySolution": { + "value": "[parameters('enableSecuritySolution')]" + }, + "enableAgentHealth": { + "value": "[parameters('enableAgentHealth')]" + }, + "enableChangeTracking": { + "value": "[parameters('enableChangeTracking')]" + }, + "enableUpdateMgmt": { + "value": "[parameters('enableUpdateMgmt')]" + }, + "enableActivityLog": { + "value": "[parameters('enableActivityLog')]" + }, + "enableVmInsights": { + "value": "[parameters('enableVmInsights')]" + }, + "enableServiceMap": { + "value": "[parameters('enableServiceMap')]" + }, + "enableSqlAssessment": { + "value": "[parameters('enableSqlAssessment')]" + } + } + } + }, + { + // Assigning Log Analytics workspace policy to management management group if condition is true + "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('managementSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').logAnalyticsPolicyDeploymentName]", + "scope": "[variables('scopes').managementManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').logAnalyticsPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "rgName": { + "value": "[variables('platformRgNames').mgmtRg]" + }, + "logAnalyticsWorkspaceName": { + "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" + }, + "workspaceRegion": { + "value": "[deployment().location]" + }, + "automationAccountName": { + "value": "[variables('platformResourceNames').automationAccount]" + }, + "automationRegion": { + "value": "[deployment().location]" + }, + "retentionInDays": { + "value": "[parameters('retentionInDays')]" + } + } + } + }, + { + // Assigning Azure Security Benchmark policy to intermediate root management group if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableAsc'), 'Yes')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').asbPolicyDeploymentName]", + "scope": "[variables('scopes').eslzRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').asbPolicyInitiative]" + }, + "parameters": {} + } + }, + { + // Assigning Azure Monitor Resource Diagnostics policy to intermediate root management group if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName]", + "scope": "[variables('scopes').eslzRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').resourceDiagnosticsInitiative]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "logAnalyticsResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + } + } + } + }, + { + // Assigning Azure Activity Diagnostics Log policy to intermediate root management group if condition is true + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').activityDiagnosticsPolicyDeploymentName]", + "scope": "[variables('scopes').eslzRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').activityDiagnosticsPolicyAssignment]" + }, + "parameters": { + "logAnalyticsResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + }, + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + } + } + } + }, + { + // Assigning Azure Security Center configuration policy initiative to intermediate root management group if condition is true + "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableAsc'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').ascPolicyDeploymentName]", + "scope": "[variables('scopes').eslzRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').ascConfigPolicyInitiative]" + }, + "parameters": { + "logAnalyticsResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + }, + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "emailContactAsc": { + "value": "[parameters('emailContactAsc')]" + }, + "enableAscForServers": { + "value": "[parameters('enableAscForServers')]" + }, + "enableAscForSql": { + "value": "[parameters('enableAscForSql')]" + }, + "enableAscForAppServices": { + "value": "[parameters('enableAscForAppServices')]" + }, + "enableAscForStorage": { + "value": "[parameters('enableAscForStorage')]" + }, + "enableAscForRegistries": { + "value": "[parameters('enableAscForRegistries')]" + }, + "enableAscForKeyVault": { + "value": "[parameters('enableAscForKeyVault')]" + }, + "enableAscForSqlOnVm": { + "value": "[parameters('enableAscForSqlOnVm')]" + }, + "enableAscForKubernetes": { + "value": "[parameters('enableAscForKubernetes')]" + }, + "enableAscForArm": { + "value": "[parameters('enableAscForArm')]" + }, + "enableAscForDns": { + "value": "[parameters('enableAscForDns')]" + } + } + } + }, + /* + The following optional deployment will configure virtual network hub into the connectivity subscription + */ + { + // Creating resource group for DDoS Standard Protection + "condition": "[and(equals(parameters('enableDdoS'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').ddosRgDeploymentName]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').resourceGroup]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').ddosRg]" + }, + "location": { + "value": "[parameters('location')]" + } + } + } + }, + { + // Creating DDoS protection plan into the connectivity subscription + "condition": "[and(equals(parameters('enableDdoS'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').ddosDeploymentName]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "resourceGroup": "[variables('platformRgNames').ddosRg]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosRgDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').ddosProtection]" + }, + "parameters": { + "ddosName": { + "value": "[variables('platformResourceNames').ddosName]" + }, + "location": { + "value": "[parameters('location')]" + } + } + } + }, + { + // Assigning DDoS Policy to enforce DDoS on virtual networks if condition evaluates to true + "condition": "[and(equals(parameters('enableDdoS'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').ddosHubPolicyDeploymentName]", + "scope": "[variables('scopes').connectivityManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').ddosPolicyAssignment]" + }, + "parameters": { + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "topLevelManagementGroupPrefix": { + "value": "[variables('deterministicRoleAssignmentGuids').ddosForConnectivity]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + }, + { + // Creating the virtual network hub (hub and spoke) + "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))),equals(parameters('enableHub'), 'vhub'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "scope": "[variables('scopes').connectivityManagementGroup]", + "name": "[variables('deploymentNames').vnetConnectivityHubDeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').vnetConnectivityHub]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "enableHub": { + "value": "[parameters('enableHub')]" + }, + "enableAzFw": { + "value": "[parameters('enableAzFw')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefix')]" + }, + "enableVpnGw": { + "value": "[parameters('enableVpnGw')]" + }, + "enableErGw": { + "value": "[parameters('enableErGw')]" + }, + "enableDdoS": { + "value": "[parameters('enableDdoS')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "subnetMaskForAzFw": { + "value": "[parameters('subnetMaskForAzFw')]" + }, + "subnetMaskForGw": { + "value": "[parameters('subnetMaskForGw')]" + }, + "firewallZones": { + "value": "[parameters('firewallZones')]" + }, + "enableAzFwDnsProxy": { + "value": "[parameters('enableAzFwDnsProxy')]" + }, + "gwRegionalOrAz": { + "value": "[parameters('gwRegionalOrAz')]" + }, + "gwAzSku": { + "value": "[parameters('gwAzSku')]" + }, + "gwRegionalSku": { + "value": "[parameters('gwRegionalSku')]" + }, + "erRegionalOrAz": { + "value": "[parameters('erRegionalOrAz')]" + }, + "erAzSku": { + "value": "[parameters('erAzSku')]" + }, + "erRegionalSku": { + "value": "[parameters('erRegionalSku')]" + } + } + } + }, + { + // Creating the virtual network hub (with NVA) + "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))),equals(parameters('enableHub'), 'nva'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "scope": "[variables('scopes').connectivityManagementGroup]", + "name": "[variables('deploymentNames').nvaConnectivityHubDeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').nvaConnectivityHub]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "enableHub": { + "value": "[parameters('enableHub')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefix')]" + }, + "enableVpnGw": { + "value": "[parameters('enableVpnGw')]" + }, + "enableErGw": { + "value": "[parameters('enableErGw')]" + }, + "enableDdoS": { + "value": "[parameters('enableDdoS')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "subnetMaskForGw": { + "value": "[parameters('subnetMaskForGw')]" + }, + "gwRegionalOrAz": { + "value": "[parameters('gwRegionalOrAz')]" + }, + "gwAzSku": { + "value": "[parameters('gwAzSku')]" + }, + "gwRegionalSku": { + "value": "[parameters('gwRegionalSku')]" + }, + "erRegionalOrAz": { + "value": "[parameters('erRegionalOrAz')]" + }, + "erAzSku": { + "value": "[parameters('erAzSku')]" + }, + "erRegionalSku": { + "value": "[parameters('erRegionalSku')]" + } + } + } + }, + { + // Creating the VWAN network hub (Microsoft managed) + "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))),equals(parameters('enableHub'), 'vwan'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "scope": "[variables('scopes').connectivityManagementGroup]", + "name": "[variables('deploymentNames').vwanConnectivityHubDeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').vwanConnectivityHub]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enableHub": { + "value": "[parameters('enableHub')]" + }, + "enableAzFw": { + "value": "[parameters('enableAzFw')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefix')]" + }, + "enableVpnGw": { + "value": "[parameters('enableVpnGw')]" + }, + "enableErGw": { + "value": "[parameters('enableErGw')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "expressRouteScaleUnit": { + "value": "[parameters('expressRouteScaleUnit')]" + }, + "vpnGateWayScaleUnit": { + "value": "[parameters('vpnGateWayScaleUnit')]" + } + } + } + }, + { + // Creating resource group for Private DNS Zones + "condition": "[and(equals(parameters('enablePrivateDnsZones'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').privateDnsZoneRgDeploymentName]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').resourceGroup]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').privateDnsRg]" + }, + "location": { + "value": "[parameters('location')]" + } + } + } + }, + { + // Creating Private DNS Zones into the connectivity subscription + "condition": "[and(equals(parameters('enablePrivateDnsZones'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[concat(variables('deploymentNames').privateDnsZonesDeploymentName, copyIndex())]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "resourceGroup": "[variables('platformRgNames').privateDnsRg]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').privateDnsZoneRgDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]" + ], + "copy": { + "name": "dnsZones", + "count": "[length(variables('privateDnsZones'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').privateDnsZones]" + }, + "parameters": { + "privateDnsZoneName": { + "value": "[concat(variables('privateDnsZones')[copyIndex()])]" + }, + "connectivityHubResourceId": { + "value": "[variables('platformResourceIds').vNetHubResourceId]" + } + } + } + }, + /* + The following optional deployment will configure and setup AzOps with GitHub for your ESLZ deployment + */ + { + // Creating roleAssignment for the dedicated Service Principal for AzOps + "condition": "[and(equals(parameters('enableAzOps'), 'Yes'), not(empty(parameters('principalSecret'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').azOpsRbacDeploymentName]", + "scope": "[variables('scopes').eslzRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').azOpsRBAC]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "principalId": { + "value": "[parameters('principalId')]" + } + } + } + }, + { + // Creating resource group for AzOps + "condition": "[and(equals(parameters('enableAzOps'), 'Yes'), not(empty(parameters('principalSecret'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').azOpsRgDeploymentName]", + "subscriptionId": "[variables('azOpsSubscriptionId')]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').azOpsRbacDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').resourceGroup]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').azOpsRg]" + }, + "location": { + "value": "[deployment().location]" + } + } + } + }, + { + // Creating GitHub repository and bootstraps the CICD pipeline + "condition": "[and(equals(parameters('enableAzOps'), 'Yes'), not(empty(parameters('principalSecret'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').azOpsSetupDeploymentName]", + "subscriptionId": "[variables('azOpsSubscriptionId')]", + "resourceGroup": "[variables('platformRgNames').azOpsRg]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').azOpsRbacDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').azOpsRgDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').monitoringSolutionsLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringSolutionsDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "corpLzs", + "onlineLzs" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').azOpsSetup]" + }, + "parameters": { + "paToken": { + "value": "[parameters('paToken')]" + }, + "principalSecret": { + "value": "[parameters('principalSecret')]" + }, + "gitHubUserNameOrOrg": { + "value": "[parameters('gitHubUserNameOrOrg')]" + }, + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "appId": { + "value": "[parameters('appId')]" + }, + "repositoryName": { + "value": "[parameters('repositoryName')]" + } + } + } + }, + /* + The following deployments will deploy and configure the Azure policy governance for the landing zones + */ + { + // Deploying Private DNS Zones policy assignment for PaaS services using built-in policies + "condition": "[equals(parameters('enablePrivateDnsZonesForLzs'), 'Yes')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').privateDnsPolicyDeploymentName]", + "location": "[deployment().location]", + "scope": "[variables('scopes').corpManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]", + "dnsZones", + "dnsZonesLite", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').privateDnsPolicyDefinitionName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').privateDnsZonePolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "dnsZoneResourceGroupId": { + "value": "[variables('platformResourceIds').privateDnsRgResourceId]" + } + } + } + }, + { + // Assigning RBAC for Private DNS Zone Policy assignment to the connectivity hub + "condition": "[equals(parameters('enablePrivateDnsZonesForLzs'), 'Yes')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').dnsZoneRoleAssignmentDeploymentName]", + "location": "[deployment().location]", + "subscriptionId": "[variables('singleVsDedicatedConnectivitySub')]", + "dependsOn": [ + "[variables('deploymentNames').privateDnsPolicyDeploymentName]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').roleAssignments]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "principalId": { + "value": "[if(equals(parameters('enablePrivateDnsZonesForLzs'), 'Yes'), reference(variables('deploymentNames').privateDnsPolicyDeploymentName).outputs.principalId.value, 'na')]" + }, + "roleDefinitionId": { + "value": "[variables('roleDefinitions').networkContributor]" + } + } + } + }, + { + // Assigning Azure Monitor for VMs policy initiative to intermediate root management group if condition is true + "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableVmMonitoring'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').azVmMonitorPolicyDeploymentName]", + "scope": "[variables('scopes').eslzRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').azVmMonitorPolicyAssignment]" + }, + "parameters": { + "logAnalyticsResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + }, + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + }, + { + // Assigning Azure Monitor for VMSS policy initiative to intermediate root management group if condition is true + "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableVmssMonitoring'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').azVmssMonitorPolicyDeploymentName]", + "scope": "[variables('scopes').eslzRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').azVmssMonitorPolicyAssignment]" + }, + "parameters": { + "logAnalyticsResourceId": { + "value": "[variables('platformResourceIds').logAnalyticsResourceId]" + }, + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + }, + { + // Assigning Azure Backup policy to landing zones management group if condition is true + "condition": "[equals(parameters('enableVmBackup'), 'Yes')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').azBackupLzPolicyDeploymentName]", + "scope": "[variables('scopes').lzsManaegmentGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').azBackupLzPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + }, + { + // Assigning DDoS Policy to enforce DDoS on virtual networks in landing zones management group if condition evaluates to true + "condition": "[and(equals(parameters('enableLzDdoS'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').ddosLzPolicyDeploymentName]", + "scope": "[variables('scopes').lzsManaegmentGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').ddosPolicyAssignment]" + }, + "parameters": { + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + }, + { + // Assigning Azure Policy enablement policy for AKS to landing zones management group if condition is true + "condition": "[equals(parameters('enableAksPolicy'), 'Yes')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').azPolicyForAksPolicyDeploymentName]", + "scope": "[variables('scopes').lzsManaegmentGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').azPolicyForAksPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + }, + { + // Assigning Aks Priv Escalation policy to landing zones management group if condition is true + "condition": "[equals(parameters('denyAksPrivilegedEscalation'), 'Yes')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').aksPrivEscalationPolicyDeploymentName]", + "scope": "[variables('scopes').lzsManaegmentGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').aksPrivEscalationPolicyAssignment]" + }, + "parameters": { + "enforcementMode": { + "value": "Default" + } + } + } + }, + { + // Assigning Aks Priviliged policy to landing zones management group if condition is true + "condition": "[equals(parameters('denyAksPrivileged'), 'Yes')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').aksPrivilegedPolicyDeploymentName]", + "scope": "[variables('scopes').lzsManaegmentGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').aksPrivilegedPolicyAssignment]" + }, + "parameters": { + "enforcementMode": { + "value": "Default" + } + } + } + }, + { + // Assigning Https enforcement for AKS policy to landing zones management group if condition is true + "condition": "[equals(parameters('denyHttpIngressForAks'), 'Yes')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').aksHttpsPolicyDeploymentName]", + "scope": "[variables('scopes').lzsManaegmentGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').aksHttpsPolicyAssignment]" + }, + "parameters": { + "enforcementMode": { + "value": "Default" + } + } + } + }, + { + // Assigning TLS-SSL policy initiative to landing zones management group if condition is true + "condition": "[equals(parameters('enableEncryptionInTransit'), 'Yes')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').tlsSslPolicyDeploymentName]", + "scope": "[variables('scopes').lzsManaegmentGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').tlsSslPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + }, + { + // Assigning IP Fwd policy to landing zones management group if condition is true + "condition": "[equals(parameters('denyIpForwarding'), 'Yes')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').ipFwPolicyDeploymentName]", + "scope": "[variables('scopes').lzsManaegmentGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').ipFwdPolicyAssignment]" + }, + "parameters": { + "enforcementMode": { + "value": "Default" + } + } + } + }, + { + // Assigning deny public endpoint initiative to corp connected landing zones management group if condition is true + "condition": "[equals(parameters('denyPublicEndpoints'), 'Yes')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').publicEndpointPolicyDeploymentName]", + "scope": "[variables('scopes').corpManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').publicEndpointPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + }, + { + // Assigning deny rpd from internet policy landing zones management group if condition is true + "condition": "[equals(parameters('denyRdp'), 'Yes')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').rdpFromInternetPolicyDeploymentName]", + "scope": "[variables('scopes').lzsManaegmentGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').rdpFromInternetPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + }, + { + // Assigning deny storage without https policy to landing zones management group if condition is true + "condition": "[equals(parameters('enableStorageHttps'), 'Yes')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').storageHttpsPolicyDeploymentName]", + "scope": "[variables('scopes').lzsManaegmentGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').storageHttpsPolicyAssignment]" + }, + "parameters": { + "enforcementMode": { + "value": "Default" + } + } + } + }, + { + // Assigning deny subnet without nsg policy to landing zones management group if condition is true + "condition": "[equals(parameters('denySubnetWithoutNsg'), 'Yes')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').subnetNsgPolicyDeploymentName]", + "scope": "[variables('scopes').lzsManaegmentGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subnetNsgPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + }, + { + // Assigning sql audit policy to landing zones management group if condition is true + "condition": "[equals(parameters('enableSqlAudit'), 'Yes')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').sqlAuditPolicyDeploymentName]", + "scope": "[variables('scopes').lzsManaegmentGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').sqlAuditPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + }, + { + // Assigning sql encryption policy to landing zones management group if condition is true + "condition": "[equals(parameters('enableSqlEncryption'), 'Yes')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').sqlEncryptionPolicyDeploymentName]", + "scope": "[variables('scopes').lzsManaegmentGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').sqlEncryptionPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + }, + /* + The following section will optionally configure the governance for the Identity management group for the platform + */ + { + // Assigning Azure Backup policy to identity management group if condition is true + "condition": "[and(equals(parameters('enableVmBackupForIdentity'), 'Yes'), not(empty(parameters('identitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').azBackupIdentityPolicyDeploymentName]", + "scope": "[variables('scopes').identityManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').azBackupLzPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[variables('deterministicRoleAssignmentGuids').backupForIdentity]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + }, + { + // Assigning deny Public Ip policy to identity management group if condition is true + "condition": "[and(equals(parameters('denyPipForIdentity'), 'Yes'), not(empty(parameters('identitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').pipPolicyDeploymentName]", + "scope": "[variables('scopes').identityManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').pipPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + }, + { + // Assigning deny subnet without nsg policy to identity management group if condition is true + "condition": "[and(equals(parameters('denySubnetWithoutNsgForIdentity'), 'Yes'), not(empty(parameters('identitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').subnetNsgIdentityPolicyDeploymentName]", + "scope": "[variables('scopes').identityManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subnetNsgPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + }, + { + // Assigning deny rpd from internet on identity management group if condition is true + "condition": "[and(equals(parameters('denyRdpForIdentity'), 'Yes'), not(empty(parameters('identitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('deploymentNames').rdpFromInternetIdentityPolicyDeploymentName]", + "scope": "[variables('scopes').identityManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').rdpFromInternetPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + }, + { + // Peer vnet in identity subscription to connectivity hub if vhub or nva contidion is true + "condition": "[and(or(equals(parameters('enableHub'), 'nva'), equals(parameters('enableHub'), 'vhub')), not(empty(parameters('identityAddressPrefix'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deploymentNames').identityPeeringDeploymentName]", + "subscriptionId": "[parameters('identitySubscriptionId')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').corpVnetPeering]" + }, + "parameters": { + "vNetRgName": { + "value": "[variables('platformRgNames').identityVnetRg]" + }, + "vNetName": { + "value": "[concat(parameters('identitySubscriptionId'), variables('platformResourceNames').identityVnet)]" + }, + "vNetLocation": { + "value": "[parameters('location')]" + }, + "vNetCidrRange": { + "value": "[parameters('identityAddressPrefix')]" + }, + "hubResourceId": { + "value": "[variables('platformResourceIds').vNetHubResourceId]" + }, + "azureFirewallResourceId": { + "value": "[variables('platformResourceIds').azFirewallResourceId]" + } + } + } + }, + { + // Peer vnet in identity subscription to connectivity hub if vwan contidion is true + "condition": "[and(equals(parameters('enableHub'), 'vwan'), not(empty(parameters('identityAddressPrefix'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deploymentNames').identityVwanPeeringDeploymentName]", + "subscriptionId": "[parameters('identitySubscriptionId')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').corpVwanPeering]" + }, + "parameters": { + "vNetRgName": { + "value": "[variables('platformRgNames').identityVnetRg]" + }, + "vNetName": { + "value": "[concat(parameters('identitySubscriptionId'), variables('platformResourceNames').identityVnet)]" + }, + "vNetLocation": { + "value": "[parameters('location')]" + }, + "vNetCidrRange": { + "value": "[parameters('identityAddressPrefix')]" + }, + "vWanHubResourceId": { + "value": "[variables('platformResourceIds').vWanHubResourceId]" + }, + "azureFirewallResourceId": { + "value": "[if(equals(parameters('enableAzFwDnsProxy'), 'Yes'), variables('platformResourceIds').azFirewallResourceId, '')]" + } + } + } + }, + /* + The following deployments will place landing zone subscriptions into online/corp (connected or disconnected) + */ + { + // Placing subscription(s) into online landing zone management group + "condition": "[not(empty(parameters('onlineLzSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[concat(variables('deploymentNames').onlineLzSubs, copyIndex())]", + "scope": "[variables('scopes').onlineManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]" + ], + "copy": { + "name": "onlineLzs", + "count": "[length(parameters('onlineLzSubscriptionId'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').online]" + }, + "subscriptionId": { + "value": "[concat(parameters('onlineLzSubscriptionId')[copyIndex()])]" + } + } + } + }, + { + // Placing subscriptions into corp landing zone management group + "condition": "[not(empty(parameters('corpLzSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[concat(variables('deploymentNames').corpLzSubs, copyIndex())]", + "scope": "[variables('scopes').corpManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]" + ], + "copy": { + "name": "corpLzs", + "count": "[length(parameters('corpLzSubscriptionId'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').corp]" + }, + "subscriptionId": { + "value": "[concat(parameters('corpLzSubscriptionId')[copyIndex()])]" + } + } + } + }, + { + // Placing subscriptions into corp landing zone management group (and do subsequent peering) + "condition": "[not(empty(parameters('corpConnectedLzSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[concat(variables('deploymentNames').corpConnectedMoveLzSubs, copyIndex())]", + "scope": "[variables('scopes').corpManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]" + ], + "copy": { + "name": "corpConnectedMoveLzs", + "count": "[length(parameters('corpConnectedLzSubscriptionId'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').corp]" + }, + "subscriptionId": { + "value": "[parameters('corpConnectedLzSubscriptionId')[copyIndex()].subs]" + } + } + } + }, + { + // Peering corp connected lz vnet to connectivity sub (when nva or vhub is selected) + "condition": "[and(or(equals(parameters('enableHub'), 'nva'), equals(parameters('enableHub'), 'vhub')), not(empty(parameters('corpConnectedLzSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(variables('deploymentNames').corpPeeringDeploymentName, copyIndex())]", + "subscriptionId": "[if(not(empty(parameters('corpConnectedLzSubscriptionId'))), parameters('corpConnectedLzSubscriptionId')[copyIndex()].subs, '')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "corpConnectedPeering", + "count": "[length(parameters('corpConnectedLzSubscriptionId'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').corpVnetPeering]" + }, + "parameters": { + "vNetRgName": { + "value": "[variables('platformRgNames').lzVnetRg]" + }, + "vNetName": { + "value": "[concat(parameters('corpConnectedLzSubscriptionId')[copyIndex()].subs, '-', variables('platformResourceNames').lzVnet)]" + }, + "vNetLocation": { + "value": "[parameters('location')]" + }, + "vNetCidrRange": { + "value": "[parameters('corpConnectedLzSubscriptionId')[copyIndex()].addresses]" + }, + "hubResourceId": { + "value": "[variables('platformResourceIds').vNetHubResourceId]" + }, + "azureFirewallResourceId": { + "value": "[if(equals(parameters('enableAzFwDnsProxy'), 'Yes'), variables('platformResourceIds').azFirewallResourceId, '')]" + } + } + } + }, + /*{ + // Peering corp connected lz vnet to connectivity sub (when vwan is selected) + "condition": "[and(equals(parameters('enableHub'), 'vwan'), not(empty(parameters('corpConnectedLzSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(variables('deploymentNames').corpConnectedLzVwanSubs, copyIndex())]", + "subscriptionId": "[if(not(empty(parameters('corpConnectedLzSubscriptionId'))), parameters('corpConnectedLzSubscriptionId')[copyIndex()].subs, '')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", + "corpConnectedMoveLzs" + ], + "copy": { + "name": "corpConnectedVwanPeering", + "count": "[length(parameters('corpConnectedLzSubscriptionId'))]", + "batchSize": 1, + "mode": "Serial" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').corpVnetPeering]" + }, + "parameters": { + "vNetRgName": { + "value": "[variables('platformRgNames').lzVnetRg]" + }, + "vNetName": { + "value": "[concat(parameters('corpConnectedLzSubscriptionId')[copyIndex()].subs, '-', variables('platformResourceNames').lzVnet)]" + }, + "vNetLocation": { + "value": "[parameters('location')]" + }, + "vNetCidrRange": { + "value": "[parameters('corpConnectedLzSubscriptionId')[copyIndex()].addresses]" + }, + "hubResourceId": { + "value": "[variables('platformResourceIds').vWanHubResourceId]" + }, + "azureFirewallResourceId": { + "value": "[if(equals(parameters('enableAzFwDnsProxy'), 'Yes'), variables('platformResourceIds').azFirewallResourceId, '')]" + } + } + } + },*/ + /* + **ESLZ Lite Only!** + The following section represent optional deployments in case the user select to use a single dedicated subscription for platform resources. + This is not recommmended for production deployment, only for small enterprises, demo, POC, etc. + + The following deployment will create the management group structure for ESLZ Lite + */ + { + // Creating the ESLZ Lite management group structure + "condition": "[not(empty(parameters('singlePlatformSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName]", + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').managementGroupsLite]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + } + } + } + }, + /* + Note: ES Lite only: the following deployments will organize the dedicated platform subscription into the dedicated management groups + */ + { + // Placing Platform subscription into dedicated management group + "condition": "[not(empty(parameters('singlePlatformSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement]", + "location": "[deployment().location]", + "scope": "[variables('scopes').platformManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subscriptionPlacement]" + }, + "parameters": { + "targetManagementGroupId": { + "value": "[variables('mgmtGroups').platform]" + }, + "subscriptionId": { + "value": "[parameters('singlePlatformSubscriptionId')]" + } + } + } + }, + /* + Note: ES Lite only: the following deployment will create Log Analytics to the platform subscription + */ + { + // Deploying Log Analytics workspace to platform subscription if condition is true + "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLiteDeploymentNames').monitoringLiteDeploymentName]", + "location": "[deployment().location]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esliteDeploymentNames').platformLiteSubscriptionPlacement)]", + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').monitoring]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').mgmtRg]" + }, + "workspaceName": { + "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" + }, + "workspaceRegion": { + "value": "[deployment().location]" + }, + "automationAccountName": { + "value": "[variables('platformResourceNames').automationAccount]" + }, + "automationRegion": { + "value": "[deployment().location]" + }, + "retentionInDays": { + "value": "[parameters('retentionInDays')]" + } + } + } + }, + /* + Note: ES Lite only: the following deployments will deploy Log Analytics solutions to the platform subscription + */ + { + // Deploying Log Analytics solutions to Log Analytics workspace if condition is true + "condition": "[and(and(not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableLogAnalytics'), 'Yes')), equals(parameters('enableLogAnalytics'), 'Yes'), or(or(or(or(or(equals(parameters('enableSecuritySolution'), 'Yes'), equals(parameters('enableAgentHealth'), 'Yes')), equals(parameters('enableChangeTracking'), 'Yes')), equals(parameters('enableUpdateMgmt'), 'Yes'), equals(parameters('enableActivityLog'), 'Yes')), equals(parameters('enableVmInsights'), 'Yes')), equals(parameters('enableServiceMap'), 'Yes'), equals(parameters('enableSqlAssessment'), 'Yes')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLiteDeploymentNames').monitoringSolutionsLiteDeploymentName]", + "location": "[deployment().location]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').monitoringSolutions]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').mgmtRg]" + }, + "workspaceName": { + "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" + }, + "workspaceRegion": { + "value": "[deployment().location]" + }, + "enableSecuritySolution": { + "value": "[parameters('enableSecuritySolution')]" + }, + "enableAgentHealth": { + "value": "[parameters('enableAgentHealth')]" + }, + "enableChangeTracking": { + "value": "[parameters('enableChangeTracking')]" + }, + "enableUpdateMgmt": { + "value": "[parameters('enableUpdateMgmt')]" + }, + "enableActivityLog": { + "value": "[parameters('enableActivityLog')]" + }, + "enableVmInsights": { + "value": "[parameters('enableVmInsights')]" + }, + "enableServiceMap": { + "value": "[parameters('enableServiceMap')]" + }, + "enableSqlAssessment": { + "value": "[parameters('enableSqlAssessment')]" + } + } + } + }, + /* + Note: ES Lite only: deploy Log Analytics workspace policy to the platform management group + */ + { + // Assigning Log Analytics workspace policy to platform management group if condition is true + "condition": "[and(equals(parameters('enableLogAnalytics'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLiteDeploymentNames').logAnalyticsLitePolicyDeploymentName]", + "scope": "[variables('scopes').platformManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", + "policyCompletion" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').logAnalyticsPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "rgName": { + "value": "[variables('platformRgNames').mgmtRg]" + }, + "logAnalyticsWorkspaceName": { + "value": "[variables('platformResourceNames').logAnalyticsWorkspace]" + }, + "workspaceRegion": { + "value": "[deployment().location]" + }, + "automationAccountName": { + "value": "[variables('platformResourceNames').automationAccount]" + }, + "automationRegion": { + "value": "[deployment().location]" + }, + "retentionInDays": { + "value": "[parameters('retentionInDays')]" + } + } + } + }, + /* + Note: ES Lite only: deploy RG for DDoS standard protection to platform subscription + */ + { + // Creating resource group for DDoS Standard Protection + "condition": "[and(equals(parameters('enableDdoS'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLiteDeploymentNames').ddosRgLiteDeploymentName]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').resourceGroup]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').ddosRg]" + }, + "location": { + "value": "[parameters('location')]" + } + } + } + }, + /* + Note: ES Lite only: deploy DDoS standard protection + */ + { + // Creating DDoS protection plan into the connectivity subscription + "condition": "[and(equals(parameters('enableDdoS'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLiteDeploymentNames').ddosLiteDeploymentName]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "resourceGroup": "[variables('platformRgNames').ddosRg]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').ddosRgLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').ddosProtection]" + }, + "parameters": { + "ddosName": { + "value": "[variables('platformResourceNames').ddosName]" + }, + "location": { + "value": "[parameters('location')]" + } + } + } + }, + /* + Note: ES Lite only: deploy RG for Private DNS zones to platform subscription + */ + { + // Creating resource group for Private DNS Zones + "condition": "[and(equals(parameters('enablePrivateDnsZones'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLitedeploymentNames').privateDnsZoneRgLiteDeploymentName]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').nvaConnectivityHubLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').resourceGroup]" + }, + "parameters": { + "rgName": { + "value": "[variables('platformRgNames').privateDnsRg]" + }, + "location": { + "value": "[parameters('location')]" + } + } + } + }, + /* + Note: ES Lite only: deploy private DNS zones + */ + { + // Creating Private DNS Zones into the connectivity subscription + "condition": "[and(equals(parameters('enablePrivateDnsZones'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[concat(variables('esLitedeploymentNames').privateDnsZonesLiteDeploymentName, copyIndex())]", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "resourceGroup": "[variables('platformRgNames').privateDnsRg]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').privateDnsZoneRgLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vnetConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').vwanConnectivityHubLiteDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').nvaConnectivityHubLiteDeploymentName)]" + ], + "copy": { + "name": "dnsZonesLite", + "count": "[length(variables('privateDnsZones'))]" + }, + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').privateDnsZones]" + }, + "parameters": { + "privateDnsZoneName": { + "value": "[concat(variables('privateDnsZones')[copyIndex()])]" + }, + "connectivityHubResourceId": { + "value": "[variables('platformResourceIds').vNetHubResourceId]" + } + } + } + }, + /* + Note: ES Lite only: assign DDoS policy for landing zones + */ + { + // Assigning DDoS Policy to enforce DDoS on virtual networks if condition evaluates to true + "condition": "[and(and(equals(parameters('enableDdoS'), 'Yes'), equals(parameters('enableHub'), 'vhub')), not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableHub'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLiteDeploymentNames').ddosHubLitePolicyDeploymentName]", + "scope": "[variables('scopes').platformManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').ddosLiteDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('esLiteDeploymentNames').ddosHubLitePolicyDeploymentName]" + }, + "parameters": { + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "topLevelManagementGroupPrefix": { + "value": "[variables('deterministicRoleAssignmentGuids').ddosForConnectivity]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + }, + /* + Note: ES Lite only: deploys hub and spoke + */ + { + // Configuring and deploying the connectivity hub (hub and spoke) + "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))),equals(parameters('enableHub'), 'vhub'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-05-01", + "scope": "[variables('scopes').platformManagementGroup]", + "name": "[variables('esLitedeploymentNames').vnetConnectivityHubLiteDeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').ddosHubLitePolicyDeploymentName)]" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').vnetConnectivityHub]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "enableHub": { + "value": "[parameters('enableHub')]" + }, + "enableAzFw": { + "value": "[parameters('enableAzFw')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefix')]" + }, + "enableVpnGw": { + "value": "[parameters('enableVpnGw')]" + }, + "enableErGw": { + "value": "[parameters('enableErGw')]" + }, + "enableDdoS": { + "value": "[parameters('enableDdoS')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('singlePlatformSubscriptionId')]" + }, + "subnetMaskForAzFw": { + "value": "[parameters('subnetMaskForAzFw')]" + }, + "subnetMaskForGw": { + "value": "[parameters('subnetMaskForGw')]" + }, + "firewallZones": { + "value": "[parameters('firewallZones')]" + }, + "enableAzFwDnsProxy": { + "value": "[parameters('enableAzFwDnsProxy')]" + }, + "gwRegionalOrAz": { + "value": "[parameters('gwRegionalOrAz')]" + }, + "gwAzSku": { + "value": "[parameters('gwAzSku')]" + }, + "gwRegionalSku": { + "value": "[parameters('gwRegionalSku')]" + }, + "erRegionalOrAz": { + "value": "[parameters('erRegionalOrAz')]" + }, + "erAzSku": { + "value": "[parameters('erAzSku')]" + }, + "erRegionalSku": { + "value": "[parameters('erRegionalSku')]" + } + } + } + }, + /* + Note: ES Lite only: deploys virtual hub (NVA) + */ + { + // Configuring and deploying the connectivity hub (NVA) + "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))),equals(parameters('enableHub'), 'nva'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-05-01", + "scope": "[variables('scopes').platformManagementGroup]", + "name": "[variables('esLitedeploymentNames').nvaConnectivityHubLiteDeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').ddosHubLitePolicyDeploymentName)]" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').nvaConnectivityHub]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "ddosPlanResourceId": { + "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "enableHub": { + "value": "[parameters('enableHub')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefix')]" + }, + "enableVpnGw": { + "value": "[parameters('enableVpnGw')]" + }, + "enableErGw": { + "value": "[parameters('enableErGw')]" + }, + "enableDdoS": { + "value": "[parameters('enableDdoS')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('singlePlatformSubscriptionId')]" + }, + "subnetMaskForGw": { + "value": "[parameters('subnetMaskForGw')]" + }, + "gwRegionalOrAz": { + "value": "[parameters('gwRegionalOrAz')]" + }, + "gwAzSku": { + "value": "[parameters('gwAzSku')]" + }, + "gwRegionalSku": { + "value": "[parameters('gwRegionalSku')]" + }, + "erRegionalOrAz": { + "value": "[parameters('erRegionalOrAz')]" + }, + "erAzSku": { + "value": "[parameters('erAzSku')]" + }, + "erRegionalSku": { + "value": "[parameters('erRegionalSku')]" + } + } + } + }, + /* + Note: ES Lite only: deploys VWAN hub (Microsoft Managed) + */ + { + // Creating the VWAN network hub (Microsoft managed) + "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))),equals(parameters('enableHub'), 'vwan'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "scope": "[variables('scopes').platformManagementGroup]", + "name": "[variables('esLitedeploymentNames').vwanConnectivityHubLiteDeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').ddosHubLitePolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').vwanConnectivityHub]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enableHub": { + "value": "[parameters('enableHub')]" + }, + "enableAzFw": { + "value": "[parameters('enableAzFw')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefix')]" + }, + "enableVpnGw": { + "value": "[parameters('enableVpnGw')]" + }, + "enableErGw": { + "value": "[parameters('enableErGw')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('singlePlatformSubscriptionId')]" + }, + "expressRouteScaleUnit": { + "value": "[parameters('expressRouteScaleUnit')]" + }, + "vpnGateWayScaleUnit": { + "value": "[parameters('vpnGateWayScaleUnit')]" + } + } + } + }, + /* + Note: ES Lite only: assigns policy for identity to enable Azure Backup + */ + { + // Assigning Azure Backup policy to platform management group if condition is true + "condition": "[and(equals(parameters('enableVmBackupForIdentity'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLitedeploymentNames').azBackupIdentityLitePolicyDeploymentName]", + "scope": "[variables('scopes').platformManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]" ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').azBackupLzPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[variables('deterministicRoleAssignmentGuids').backupForIdentity]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + }, + /* + Note: ES Lite only: assign policy for identity to deny subnet without NSG + */ + { + // Assigning deny subnet without nsg policy to identity management group if condition is true + "condition": "[and(equals(parameters('denySubnetWithoutNsgForIdentity'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLitedeploymentNames').subnetNsgIdentityLitePolicyDeploymentName]", + "scope": "[variables('scopes').platformManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').subnetNsgPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + }, + /* + Note: ES Lite only: assign policy to deny RDP from internet to platform MG + */ + { + // Assigning deny rpd from internet policy landing zones management group if condition is true + "condition": "[and(equals(parameters('denyRdpForIdentity'), 'Yes'), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "[variables('esLitedeploymentNames').rdpFromInternetIdentityLitePolicyDeploymentName]", + "scope": "[variables('scopes').platformManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "policyCompletion", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').rdpFromInternetPolicyAssignment]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enforcementMode": { + "value": "Default" + } + } + } + } + ], + "outputs": { + "deployment": { + "type": "string", + "value": "[concat(deployment().name, ' has successfully deployed. Welcome to Enterprise-Scale!')]" + } + } +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/mgmtGroupStructure/mgmtGroups.json b/eslzArm/managementGroupTemplates/mgmtGroupStructure/mgmtGroups.json new file mode 100644 index 0000000000..3350434373 --- /dev/null +++ b/eslzArm/managementGroupTemplates/mgmtGroupStructure/mgmtGroups.json @@ -0,0 +1,163 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide prefix for the management group structure." + } + }, + "platformMgs": { + "type": "array", + "defaultValue": [ + "management", + "connectivity", + "identity" + ], + "metadata": { + "description": "Management groups for platform specific purposes, such as management, networking, identity etc." + } + }, + "landingZoneMgs": { + "type": "array", + "defaultValue": [ + "online", + "corp" + ], + "metadata": { + "description": "These are the landing zone management groups." + } + } + }, + "variables": { + "enterpriseScaleManagementGroups": { + "platform": "[concat(parameters('topLevelManagementGroupPrefix'), '-', 'platform')]", + "landingZone": "[concat(parameters('topLevelManagementGroupPrefix'), '-', 'landingzones')]", + "decommissioned": "[concat(parameters('topLevelManagementGroupPrefix'), '-', 'decommissioned')]", + "sandboxes": "[concat(parameters('topLevelManagementGroupPrefix'), '-', 'sandboxes')]" + } + }, + "resources": [ + { + // Create top level management group under tenant root + "type": "Microsoft.Management/managementGroups", + "apiVersion": "2020-05-01", + "name": "[parameters('topLevelManagementGroupPrefix')]", + "properties": {} + }, + { + // Create management group for platform management groups + "type": "Microsoft.Management/managementGroups", + "apiVersion": "2020-05-01", + "name": "[variables('enterpriseScaleManagementGroups').platform]", + "dependsOn": [ + "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]" + ], + "properties": { + "displayName": "[variables('enterpriseScaleManagementGroups').platform]", + "details": { + "parent": { + "id": "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]" + } + } + } + }, + { + // Create management group for landing zones + "type": "Microsoft.Management/managementGroups", + "apiVersion": "2020-05-01", + "name": "[variables('enterpriseScaleManagementGroups').landingZone]", + "dependsOn": [ + "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]" + ], + "properties": { + "displayName": "[variables('enterpriseScaleManagementGroups').landingZone]", + "details": { + "parent": { + "id": "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]" + } + } + } + }, + { + // Create management group for sandbox subscriptions + "type": "Microsoft.Management/managementGroups", + "apiVersion": "2020-05-01", + "name": "[variables('enterpriseScaleManagementGroups').sandboxes]", + "dependsOn": [ + "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]" + ], + "properties": { + "displayName": "[variables('enterpriseScaleManagementGroups').sandboxes]", + "details": { + "parent": { + "id": "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]" + } + } + } + }, + { + // Create management group for decommissioned subscriptions + "type": "Microsoft.Management/managementGroups", + "apiVersion": "2020-05-01", + "name": "[variables('enterpriseScaleManagementGroups').decommissioned]", + "dependsOn": [ + "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]" + ], + "properties": { + "displayName": "[variables('enterpriseScaleManagementGroups').decommissioned]", + "details": { + "parent": { + "id": "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]" + } + } + } + }, + { + // Create child management groups for platform resources + "condition": "[not(empty(parameters('platformMgs')))]", + "type": "Microsoft.Management/managementGroups", + "apiVersion": "2020-05-01", + "name": "[concat(parameters('topLevelManagementGroupPrefix'), '-', parameters('platformMgs')[copyIndex()])]", + "dependsOn": [ + "[tenantResourceId('Microsoft.Management/managementGroups', variables('enterpriseScaleManagementGroups').platform)]" + ], + "copy": { + "name": "platformMgCopy", + "count": "[length(parameters('platformMgs'))]" + }, + "properties": { + "displayName": "[concat(parameters('topLevelManagementGroupPrefix'), '-', parameters('platformMgs')[copyIndex()])]", + "details": { + "parent": { + "id": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('enterpriseScaleManagementGroups').platform)]" + } + } + } + }, + { + // Create child management groups for landing zones + "condition": "[not(empty(parameters('landingZoneMgs')))]", + "type": "Microsoft.Management/managementGroups", + "apiVersion": "2020-05-01", + "name": "[concat(parameters('topLevelManagementGroupPrefix'), '-', parameters('landingZoneMgs')[copyIndex()])]", + "dependsOn": [ + "[tenantResourceId('Microsoft.Management/managementGroups/', variables('enterpriseScaleManagementGroups').landingZone)]" + ], + "copy": { + "name": "lzMgCopy", + "count": "[length(parameters('landingZoneMgs'))]" + }, + "properties": { + "displayName": "[concat(parameters('topLevelManagementGroupPrefix'), '-', parameters('landingZoneMgs')[copyIndex()])]", + "details": { + "parent": { + "id": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('enterpriseScaleManagementGroups').landingZone)]" + } + } + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/mgmtGroupStructure/mgmtGroupsLite.json b/eslzArm/managementGroupTemplates/mgmtGroupStructure/mgmtGroupsLite.json new file mode 100644 index 0000000000..ed5291c94f --- /dev/null +++ b/eslzArm/managementGroupTemplates/mgmtGroupStructure/mgmtGroupsLite.json @@ -0,0 +1,130 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide prefix for the management group structure." + } + }, + "landingZoneMgs": { + "type": "array", + "defaultValue": [ + "online", + "corp" + ], + "metadata": { + "description": "These are the landing zone management groups." + } + } + }, + "variables": { + "enterpriseScaleManagementGroups": { + "platform": "[concat(parameters('topLevelManagementGroupPrefix'), '-', 'platform')]", + "landingZone": "[concat(parameters('topLevelManagementGroupPrefix'), '-', 'landingzones')]", + "decommissioned": "[concat(parameters('topLevelManagementGroupPrefix'), '-', 'decommissioned')]", + "sandboxes": "[concat(parameters('topLevelManagementGroupPrefix'), '-', 'sandboxes')]" + } + }, + "resources": [ + { + // Create top level management group under tenant root + "type": "Microsoft.Management/managementGroups", + "apiVersion": "2020-05-01", + "name": "[parameters('topLevelManagementGroupPrefix')]", + "properties": {} + }, + { + // Create management group for platform management groups + "type": "Microsoft.Management/managementGroups", + "apiVersion": "2020-05-01", + "name": "[variables('enterpriseScaleManagementGroups').platform]", + "dependsOn": [ + "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]" + ], + "properties": { + "displayName": "[variables('enterpriseScaleManagementGroups').platform]", + "details": { + "parent": { + "id": "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]" + } + } + } + }, + { + // Create management group for landing zones + "type": "Microsoft.Management/managementGroups", + "apiVersion": "2020-05-01", + "name": "[variables('enterpriseScaleManagementGroups').landingZone]", + "dependsOn": [ + "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]" + ], + "properties": { + "displayName": "[variables('enterpriseScaleManagementGroups').landingZone]", + "details": { + "parent": { + "id": "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]" + } + } + } + }, + { + // Create management group for sandbox subscriptions + "type": "Microsoft.Management/managementGroups", + "apiVersion": "2020-05-01", + "name": "[variables('enterpriseScaleManagementGroups').sandboxes]", + "dependsOn": [ + "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]" + ], + "properties": { + "displayName": "[variables('enterpriseScaleManagementGroups').sandboxes]", + "details": { + "parent": { + "id": "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]" + } + } + } + }, + { + // Create management group for decommissioned subscriptions + "type": "Microsoft.Management/managementGroups", + "apiVersion": "2020-05-01", + "name": "[variables('enterpriseScaleManagementGroups').decommissioned]", + "dependsOn": [ + "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]" + ], + "properties": { + "displayName": "[variables('enterpriseScaleManagementGroups').decommissioned]", + "details": { + "parent": { + "id": "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]" + } + } + } + }, + { + // Create child management groups for landing zones + "condition": "[not(empty(parameters('landingZoneMgs')))]", + "type": "Microsoft.Management/managementGroups", + "apiVersion": "2020-05-01", + "name": "[concat(parameters('topLevelManagementGroupPrefix'), '-', parameters('landingZoneMgs')[copyIndex()])]", + "dependsOn": [ + "[tenantResourceId('Microsoft.Management/managementGroups/', variables('enterpriseScaleManagementGroups').landingZone)]" + ], + "copy": { + "name": "lzMgCopy", + "count": "[length(parameters('landingZoneMgs'))]" + }, + "properties": { + "displayName": "[concat(parameters('topLevelManagementGroupPrefix'), '-', parameters('landingZoneMgs')[copyIndex()])]", + "details": { + "parent": { + "id": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('enterpriseScaleManagementGroups').landingZone)]" + } + } + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json new file mode 100644 index 0000000000..f3e13e0782 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json @@ -0,0 +1,43 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + } + }, + "variables": { + "policyDefinitions": { + "denyAksNoPrivEsc": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99" + }, + "policyAssignmentNames": { + "denyAksNoPrivEsc": "Deny-Priv-Esc-AKS", + "description": "Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", + "displayName": "Kubernetes clusters should not allow container privilege escalation" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "name": "[variables('policyAssignmentNames').denyAksNoPrivEsc]", + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').denyAksNoPrivEsc]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "effect": { + "value": "deny" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json new file mode 100644 index 0000000000..033f6bdcf7 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json @@ -0,0 +1,43 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + } + }, + "variables": { + "policyDefinitions": { + "denyAksPriv": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4" + }, + "policyAssignmentNames": { + "denyAksPriv": "Deny-Privileged-AKS", + "description": "Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", + "displayName": "Kubernetes cluster should not allow privileged containers" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "name": "[variables('policyAssignmentNames').denyAksPriv]", + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').denyAksPriv]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "effect": { + "value": "deny" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json new file mode 100644 index 0000000000..90d9ea4039 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json @@ -0,0 +1,43 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + } + }, + "variables": { + "policyDefinitions": { + "denyHttpIngressAks": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d" + }, + "policyAssignmentNames": { + "denyHttpIngressAks": "Enforce-AKS-HTTPS", + "description": "Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc", + "displayName": "Kubernetes clusters should be accessible only over HTTPS" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "name": "[variables('policyAssignmentNames').denyHttpIngressAks]", + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').denyHttpIngressAks]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "effect": { + "value": "deny" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json new file mode 100644 index 0000000000..bb36ca473f --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json @@ -0,0 +1,66 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + } + }, + "variables": { + "policyDefinitions": { + "deployEncryptionInTransit": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit')]" + }, + "policyAssignmentNames": { + "deployEncryptionInTransit": "Enforce-TLS-SSL", + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit.", + "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit" + }, + "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "roleAssignmentNames": { + "deployEncryptionInTransit": "[guid(concat(parameters('topLevelManagementGroupPrefix'),variables('policyAssignmentNames').deployEncryptionInTransit))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "name": "[variables('policyAssignmentNames').deployEncryptionInTransit]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').deployEncryptionInTransit]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": {} + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployEncryptionInTransit]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').deployEncryptionInTransit)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deployEncryptionInTransit), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-IPForwardingPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-IPForwardingPolicyAssignment.json new file mode 100644 index 0000000000..7d0acb83be --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-IPForwardingPolicyAssignment.json @@ -0,0 +1,38 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + } + }, + "variables": { + "policyDefinitions": { + "denyIpForwarding": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900" + }, + "policyAssignmentNames": { + "denyIpForwarding": "Deny-IP-forwarding", + "description": "This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team.", + "displayName": "Network interfaces should disable IP forwarding" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "name": "[variables('policyAssignmentNames').denyIpForwarding]", + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "enforcementMode": "[parameters('enforcementMode')]", + "policyDefinitionId": "[variables('policyDefinitions').denyIpForwarding]" + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicEndpointPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicEndpointPolicyAssignment.json new file mode 100644 index 0000000000..d3c4083e43 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicEndpointPolicyAssignment.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + } + }, + "variables": { + "policyDefinitions": { + "denyPublicEndpoint": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints')]" + }, + "policyAssignmentNames": { + "denyPublicEndpoint": "Deny-Public-Endpoints", + "displayName": "Public network access should be disabled for PaaS services", + "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "name": "[variables('policyAssignmentNames').denyPublicEndpoint]", + "location": "[deployment().location]", + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').denyPublicEndpoint]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": {} + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressPolicyAssignment.json new file mode 100644 index 0000000000..518a31c90b --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressPolicyAssignment.json @@ -0,0 +1,45 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "maxLength": 10, + "metadata": { + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + } + }, + "variables": { + "policyDefinitions": { + "denyPip": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP')]" + }, + "policyAssignmentNames": { + "denyPip": "Deny-Public-IP", + "description": "This policy denies creation of Public IPs under the assigned scope.", + "displayName": "Deny the creation of public IP" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "name": "[variables('policyAssignmentNames').denyPip]", + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').denyPip]", + "enforcementMode": "[parameters('enforcementMode')]" + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-RDPFromInternetPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-RDPFromInternetPolicyAssignment.json new file mode 100644 index 0000000000..5e883c03e9 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-RDPFromInternetPolicyAssignment.json @@ -0,0 +1,44 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + } + }, + "variables": { + "policyDefinitions": { + "denyRdp": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet')]" + }, + "policyAssignmentNames": { + "denyRdp": "Deny-RDP-from-internet", + "description": "This policy denies any network security rule that allows RDP access from Internet", + "displayName": "RDP access from the Internet should be blocked" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "name": "[variables('policyAssignmentNames').denyRdp]", + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').denyRdp]", + "enforcementMode": "[parameters('enforcementMode')]" + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-StorageWithoutHttpsPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-StorageWithoutHttpsPolicyAssignment.json new file mode 100644 index 0000000000..736cb73d89 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-StorageWithoutHttpsPolicyAssignment.json @@ -0,0 +1,43 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + } + }, + "variables": { + "policyDefinitions": { + "storageHttps": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9" + }, + "policyAssignmentNames": { + "storageHttps": "Deny-Storage-http", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", + "displayName": "Secure transfer to storage accounts should be enabled" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "name": "[variables('policyAssignmentNames').storageHttps]", + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').storageHttps]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "effect": { + "value": "Deny" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-SubnetWithoutNsgPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-SubnetWithoutNsgPolicyAssignment.json new file mode 100644 index 0000000000..62386bb0cc --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-SubnetWithoutNsgPolicyAssignment.json @@ -0,0 +1,44 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + } + }, + "variables": { + "policyDefinitions": { + "denySubnetWithoutNsg": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg')]" + }, + "policyAssignmentNames": { + "denySubnetWithoutNsg": "Deny-Subnet-Without-Nsg", + "description": "This policy denies the creation of a subsnet with out an Network Security Group. NSG help to protect traffic across subnet-level.", + "displayName": "Subnets should have a Network Security Group" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "name": "[variables('policyAssignmentNames').denySubnetWithoutNsg]", + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').denySubnetWithoutNsg]", + "enforcementMode": "[parameters('enforcementMode')]" + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json new file mode 100644 index 0000000000..59d99f8b81 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json @@ -0,0 +1,62 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + } + }, + "variables": { + "policyDefinitions": { + "ascMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8" + }, + "policyAssignmentNames": { + "ascMonitoring": "Deploy-ASC-Monitoring", + "description": "Azure Security Benchmark policy initiative", + "displayName": "Azure Security Benchmark" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "name": "[variables('policyAssignmentNames').ascMonitoring]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').ascMonitoring]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "identityDesignateLessThanOwnersMonitoringEffect": { + "value": "Disabled" + }, + "useRbacRulesMonitoringEffect": { + "value": "Disabled" + }, + "useServicePrincipalToProtectSubscriptionsMonitoringEffect": { + "value": "Disabled" + }, + "identityEnableMFAForOwnerPermissionsMonitoringEffect": { + "value": "Disabled" + }, + "networkWatcherShouldBeEnabledMonitoringEffect": { + "value": "Disabled" + }, + "autoProvisioningOfTheLogAnalyticsAgentShouldBeEnabledOnYourSubscriptionMonitoringEffect": { + "value": "Disabled" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ASCConfigPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ASCConfigPolicyAssignment.json new file mode 100644 index 0000000000..dfeb06f7fe --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ASCConfigPolicyAssignment.json @@ -0,0 +1,202 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "logAnalyticsResourceId": { + "type": "string", + "metadata": { + "description": "Provide the resourceId to the central Log Analytics workspace." + } + }, + "emailContactAsc": { + "type": "string", + "metadata": { + "description": "Provide the email address to the ASC security contact." + } + }, + "enableAscForServers": { + "type": "string", + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Free" + }, + "enableAscForSql": { + "type": "string", + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Free" + }, + "enableAscForAppServices": { + "type": "string", + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Free" + }, + "enableAscForStorage": { + "type": "string", + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Free" + }, + "enableAscForRegistries": { + "type": "string", + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Free" + }, + "enableAscForKeyVault": { + "type": "string", + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Free" + }, + "enableAscForSqlOnVm": { + "type": "string", + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Free" + }, + "enableAscForKubernetes": { + "type": "string", + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Free" + }, + "enableAscForArm": { + "type": "string", + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Free" + }, + "enableAscForDns": { + "type": "string", + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Free" + } + }, + "variables": { + "policyDefinitions": { + "deployAzureSecurity": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Deploy-ASC-Config')]" + }, + "policyAssignmentNames": { + "azureSecurity": "Deploy-ASC-Configuration", + "description": "Deploy ASC configuration for Azure Defender and Security Contacts", + "displayName": "Deploy Azure Security Center configuration" + }, + "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "roleAssignmentNames": { + "deployAzureSecurity": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').azureSecurity))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "name": "[variables('policyAssignmentNames').azureSecurity]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').deployAzureSecurity]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "emailSecurityContact": { + "value": "[parameters('emailContactAsc')]" + }, + "logAnalytics": { + "value": "[parameters('logAnalyticsResourceId')]" + }, + "ascExportResourceGroupName": { + "value": "[concat(parameters('topLevelManagementGroupPrefix'), '-asc-export')]" + }, + "ascExportResourceGroupLocation": { + "value": "[deployment().location]" + }, + "pricingTierVms": { + "value": "[parameters('enableAscForServers')]" + }, + "pricingTierSqlServers": { + "value": "[parameters('enableAscForSql')]" + }, + "pricingTierAppServices": { + "value": "[parameters('enableAscForAppServices')]" + }, + "pricingTierStorageAccounts": { + "value": "[parameters('enableAscForStorage')]" + }, + "pricingTierContainerRegistry": { + "value": "[parameters('enableAscForRegistries')]" + }, + "pricingTierKeyVaults": { + "value": "[parameters('enableAscForKeyVault')]" + }, + "pricingTierSqlServerVirtualMachines": { + "value": "[parameters('enableAscForSqlOnVm')]" + }, + "pricingTierKubernetesService": { + "value": "[parameters('enableAscForKubernetes')]" + }, + "pricingTierArm": { + "value": "[parameters('enableAscForArm')]" + }, + "pricingTierDns": { + "value": "[parameters('enableAscForDns')]" + } + } + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployAzureSecurity]", + "dependsOn": [ + "[variables('policyAssignmentNames').azureSecurity]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureSecurity), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json new file mode 100644 index 0000000000..c630e36954 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json @@ -0,0 +1,79 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "logAnalyticsResourceId": { + "type": "string", + "metadata": { + "description": "Provide the resourceId for the central Log Analytics workspace." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + } + }, + "variables": { + "policyDefinitions": { + "deployAzureActivityLog": "/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f" + }, + "policyAssignmentNames": { + "azureActivityLog": "Deploy-AzActivity-Log", + "description": "Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events", + "displayName": "Configure Azure Activity logs to stream to specified Log Analytics workspace" + }, + "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "roleAssignmentNames": { + "deployAzureActivityLog": "[guid(concat(parameters('topLevelManagementGroupPrefix'),variables('policyAssignmentNames').azureActivityLog))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "name": "[variables('policyAssignmentNames').azureActivityLog]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').deployAzureActivityLog]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalyticsResourceId')]" + }, + "logsEnabled": { + "value": "True" + } + } + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployAzureActivityLog]", + "dependsOn": [ + "[variables('policyAssignmentNames').azureActivityLog]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureActivityLog), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-AksPolicyPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-AksPolicyPolicyAssignment.json new file mode 100644 index 0000000000..25467b58f2 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-AksPolicyPolicyAssignment.json @@ -0,0 +1,65 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + } + }, + "variables": { + "policyDefinitions": { + "deployAks": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7" + }, + "policyAssignmentNames": { + "deployAks": "Deploy-AKS-Policy", + "description": "Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.", + "displayName": "Deploy Azure Policy Add-on to Azure Kubernetes Service clusters" + }, + "rbac": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", + "roleAssignmentNames": { + "deployAks": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').deployAks))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "name": "[variables('policyAssignmentNames').deployAks]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').deployAks]", + "enforcementMode": "[parameters('enforcementMode')]" + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployAks]", + "dependsOn": [ + "[variables('policyAssignmentNames').deployAks]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbac'))]", + "principalId": "[reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deployAks), '2019-09-01', 'Full' ).identity.principalId]" + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json new file mode 100644 index 0000000000..7e1fe22d4f --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json @@ -0,0 +1,121 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "retentionInDays": { + "type": "string", + "metadata": { + "description": "Select retention days for the logs in Log Analytics. This string will be converted to Int during deployment." + } + }, + "logAnalyticsWorkspaceName": { + "type": "string", + "metadata": { + "description": "Provide the name for the central Log Analytics workspace." + } + }, + "automationAccountName": { + "type": "string", + "metadata": { + "description": "Provide the name for the Automation Account" + } + }, + "workspaceRegion": { + "type": "string", + "metadata": { + "description": "Select the region for the Log Analytics workspace" + } + }, + "automationRegion": { + "type": "string", + "metadata": { + "description": "Select the region for the Automation Account" + } + }, + "rgName": { + "type": "string", + "metadata": { + "description": "Provide a name for the Resource Group to host Log Analytics and Azure Automation" + } + } + }, + "variables": { + "policyDefinitions": { + "deployLogAnalytics": "/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955" + }, + "policyAssignmentNames": { + "logAnalytics": "Deploy-Log-Analytics", + "description": "Deploy resource group containing Log Analytics workspace and linked automation account to centralize logs and monitoring. The automation account is aprerequisite for solutions like Updates and Change Tracking.", + "displayName": "Configure Log Analytics workspace and automation account to centralize logs and monitoring" + }, + "rbac": "b24988ac-6180-42a0-ab88-20f7382dd24c", + "roleAssignmentNames": { + "deployLogAnalytics": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').logAnalytics))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "name": "[variables('policyAssignmentNames').loganalytics]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').deployLogAnalytics]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "workspaceName": { + "value": "[parameters('logAnalyticsWorkspaceName')]" + }, + "automationAccountName": { + "value": "[parameters('automationAccountName')]" + }, + "workspaceRegion": { + "value": "[parameters('workspaceRegion')]" + }, + "automationRegion": { + "value": "[parameters('automationRegion')]" + }, + "rgName": { + "value": "[parameters('rgName')]" + }, + "dataRetention": { + "value": "[parameters('retentionInDays')]" + } + } + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployLogAnalytics]", + "dependsOn": [ + "[variables('policyAssignmentNames').loganalytics]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbac'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').loganalytics), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-PrivateDNSZonesPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-PrivateDNSZonesPolicyAssignment.json new file mode 100644 index 0000000000..7330a274d8 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-PrivateDNSZonesPolicyAssignment.json @@ -0,0 +1,167 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + }, + "dnsZoneResourceGroupId": { + "type": "string", + "metadata": { + "description": "Provide the resourceId of the resource group for private DNS, which will construct the full resourceId for the private DNS zones." + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Provide the location where the virtual network is created (hub)" + } + } + }, + "variables": { + "baseId": "[concat(parameters('dnsZoneResourceGroupId'), '/providers/Microsoft.Network/privateDnsZones/')]", + "policyParameterMapping": { + "azureFilePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.afs.azure.net')]", + "azureWebPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.webpubsub.azure.com')]", + "azureBatchPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.', parameters('location'), '.batch.azure.com')]", + "azureAppPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azconfig.io')]", + "azureAsrPrivateDnsZoneId": "[concat(variables('baseId'), parameters('location'), '.privatelink.siterecovery.windowsazure.com')]", + "azureIotPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azure-devices-provisioning.net')]", + "azureKeyVaultPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.vaultcore.azure.net')]", + "azureSignalRPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.service.signalr.net')]", + "azureAppServicesPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azurewebsites.net')]", + "azureEventGridTopicsPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.eventgrid.azure.net')]", + "azureDiskAccessPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.blob.core.windows.net')]", + "azureCognitiveServicesPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.cognitiveservices.azure.com')]", + "azureIotHubsPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azure-devices.net')]", + "azureEventGridDomainsPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.eventgrid.azure.net')]", + "azureRedisCachePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.redis.cache.windows.net')]", + "azureAcrPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.azurecr.io')]", + "azureEventHubNamespacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.servicebus.windows.net')]", + "azureMachineLearningWorkspacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.api.azureml.ms')]", + "azureServiceBusNamespacePrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.servicebus.windows.net')]", + "azureCognitiveSearchPrivateDnsZoneId": "[concat(variables('baseId'), 'privatelink.search.windows.net')]" + }, + "policyDefinitions": { + "deployPrivateDnsZones": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones')]" + }, + "policyAssignmentNames": { + "deployPrivateDnsZones": "Deploy-Private-DNS-Zones", + "displayName": "Configure Azure PaaS services to use private DNS zones", + "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones" + }, + "roleAssignmentNames": { + "deployPrivateDnsZones": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').deployPrivateDnsZones))]" + }, + "policyRbac": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "name": "[variables('policyAssignmentNames').deployPrivateDnsZones]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').deployPrivateDnsZones]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "azureFilePrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureFilePrivateDnsZoneId]" + }, + "azureWebPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureWebPrivateDnsZoneId]" + }, + "azureBatchPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureBatchPrivateDnsZoneId]" + }, + "azureAppPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureAppPrivateDnsZoneId]" + }, + "azureAsrPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureAsrPrivateDnsZoneId]" + }, + "azureIoTPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureIotPrivateDnsZoneId]" + }, + "azureKeyVaultPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureKeyVaultPrivateDnsZoneId]" + }, + "azureSignalRPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureSignalRPrivateDnsZoneId]" + }, + "azureAppServicesPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureAppServicesPrivateDnsZoneId]" + }, + "azureEventGridTopicsPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureEventGridTopicsPrivateDnsZoneId]" + }, + "azureDiskAccessPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureDiskAccessPrivateDnsZoneId]" + }, + "azureCognitiveServicesPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureCognitiveServicesPrivateDnsZoneId]" + }, + "azureIotHubsPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureIotHubsPrivateDnsZoneId]" + }, + "azureEventGridDomainsPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureEventGridDomainsPrivateDnsZoneId]" + }, + "azureRedisCachePrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureRedisCachePrivateDnsZoneId]" + }, + "azureAcrPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureAcrPrivateDnsZoneId]" + }, + "azureEventHubNamespacePrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureEventHubNamespacePrivateDnsZoneId]" + }, + "azureMachineLearningWorkspacePrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureMachineLearningWorkspacePrivateDnsZoneId]" + }, + "azureServiceBusNamespacePrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureServiceBusNamespacePrivateDnsZoneId]" + }, + "azureCognitiveSearchPrivateDnsZoneId": { + "value": "[variables('policyParameterMapping').azureCognitiveSearchPrivateDnsZoneId]" + } + } + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployPrivateDnsZones]", + "dependsOn": [ + "[variables('policyAssignmentNames').deployPrivateDnsZones]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[variables('policyRbac')]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deployPrivateDnsZones), '2019-09-01', 'Full').identity.principalId)]" + } + } + ], + "outputs": { + "principalId": { + "type": "string", + "value": "[reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deployPrivateDnsZones), '2019-09-01', 'Full').identity.principalId]" + } + } +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json new file mode 100644 index 0000000000..848f556c70 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json @@ -0,0 +1,76 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ prefix to your intermediate root management group containing the policy definitions." + } + }, + "logAnalyticsResourceId": { + "type": "string", + "metadata": { + "description": "Provide the resourceId to the central Log Analytics workspace." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + } + }, + "variables": { + "policyDefinitions": { + "deployResourceDiagnostics": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics')]" + }, + "policyAssignmentNames": { + "resourceDiagnostics": "Deploy-Resource-Diag", + "description": "This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included", + "displayName": "Deploy Diagnostic Settings to Azure Services" + }, + "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "roleAssignmentNames": { + "deployResourceRiagnostics": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').resourceDiagnostics))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "name": "[variables('policyAssignmentNames').resourceDiagnostics]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').deployResourceDiagnostics]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalyticsResourceId')]" + } + } + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployResourceRiagnostics]", + "dependsOn": [ + "[variables('policyAssignmentNames').resourceDiagnostics]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').resourceDiagnostics), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLAuditingPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLAuditingPolicyAssignment.json new file mode 100644 index 0000000000..f1e656caa2 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLAuditingPolicyAssignment.json @@ -0,0 +1,65 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + } + }, + "variables": { + "policyDefinitions": { + "deploySqlAuditing": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9" + }, + "policyAssignmentNames": { + "deploySqlAuditing": "Deploy-SQL-DB-Auditing", + "description": "Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.", + "displayName": "Auditing on SQL server should be enabled" + }, + "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "roleAssignmentNames": { + "deploySqlAuditing": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').deploySqlAuditing))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "name": "[variables('policyAssignmentNames').deploySqlAuditing]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').deploySqlAuditing]", + "enforcementMode": "[parameters('enforcementMode')]" + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deploySqlAuditing]", + "dependsOn": [ + "[variables('policyAssignmentNames').deploySqlAuditing]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", + "principalId": "[reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deploySqlAuditing), '2019-09-01', 'Full' ).identity.principalId]" + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLEncryptionPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLEncryptionPolicyAssignment.json new file mode 100644 index 0000000000..d7182cc3f2 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLEncryptionPolicyAssignment.json @@ -0,0 +1,66 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + } + }, + "variables": { + "policyDefinitions": { + "deploySqlEncryption": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5" + }, + "policyAssignmentNames": { + "deploySqlEncryption": "Deploy-SQL-Threat", + "description": "This policy ensures that Threat Detection is enabled on SQL Servers.", + "displayName": "Deploy Threat Detection on SQL servers" + + }, + "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "roleAssignmentNames": { + "deploySqlEncryption": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').deploySqlEncryption))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "name": "[variables('policyAssignmentNames').deploySqlEncryption]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').deploySqlEncryption]", + "enforcementMode": "[parameters('enforcementMode')]" + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deploySqlEncryption]", + "dependsOn": [ + "[variables('policyAssignmentNames').deploySqlEncryption]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deploySqlEncryption), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMBackupPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMBackupPolicyAssignment.json new file mode 100644 index 0000000000..07340a0c99 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMBackupPolicyAssignment.json @@ -0,0 +1,67 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "maxLength": 10, + "metadata": { + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + } + }, + "variables": { + "policyDefinitions": { + "deployVmBackup": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86" + }, + "policyAssignmentNames": { + "deployVmBackup": "Deploy-VM-Backup", + "description": "Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag.", + "displayName": "Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy" + }, + "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "roleAssignmentNames": { + "deployVmBackup": "[guid(concat(parameters('toplevelManagementGroupPrefix'), 'identity', variables('policyAssignmentNames').deployVmBackup))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "name": "[variables('policyAssignmentNames').deployVmBackup]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').deployVmBackup]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": {} + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployVmBackup]", + "dependsOn": [ + "[variables('policyAssignmentNames').deployVmBackup]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deployVmBackup), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMMonitoringPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMMonitoringPolicyAssignment.json new file mode 100644 index 0000000000..a69fd99fcc --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMMonitoringPolicyAssignment.json @@ -0,0 +1,78 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "maxLength": 10, + "metadata": { + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." + } + }, + "logAnalyticsResourceId": { + "type": "string", + "metadata": { + "description": "Provide the resourceId to the central Log Analytics workspace" + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + } + }, + "variables": { + "policyDefinitions": { + "vmMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a" + }, + "policyAssignmentNames": { + "vmMonitoring": "Deploy-VM-Monitoring", + "description": "Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter.", + "displayName": "Enable Azure Monitor for VMs" + }, + "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "roleAssignmentNames": { + "deployVmMonitoring": "[guid(concat(parameters('topLevelManagementGroupPrefix'),variables('policyAssignmentNames').vmMonitoring))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "name": "[variables('policyAssignmentNames').vmMonitoring]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').vmMonitoring]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "logAnalytics_1": { + "value": "[parameters('logAnalyticsResourceId')]" + } + } + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployVmMonitoring]", + "dependsOn": [ + "[variables('policyAssignmentNames').vmMonitoring]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmMonitoring), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} + \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json new file mode 100644 index 0000000000..ca0e41dbf4 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json @@ -0,0 +1,77 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "maxLength": 10, + "metadata": { + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." + } + }, + "logAnalyticsResourceId": { + "type": "string", + "metadata": { + "description": "Provide the resourceId to the central Log Analytics workspace" + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + } + }, + "variables": { + "policyDefinitions": { + "vmssMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad" + }, + "policyAssignmentNames": { + "vmssMonitoring": "Deploy-VMSS-Monitoring", + "description": "Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances.", + "displayName": "Enable Azure Monitor for Virtual Machine Scale Sets" + }, + "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "roleAssignmentNames": { + "deployVmssMonitoring": "[guid(concat(parameters('topLevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssMonitoring))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "name": "[variables('policyAssignmentNames').vmssMonitoring]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').vmssMonitoring]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "logAnalytics_1": { + "value": "[parameters('logAnalyticsResourceId')]" + } + } + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployVmssMonitoring]", + "dependsOn": [ + "[variables('policyAssignmentNames').vmssMonitoring]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmssMonitoring), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyAssignments/MODIFY-DDoSPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/MODIFY-DDoSPolicyAssignment.json new file mode 100644 index 0000000000..0d8f6a13c3 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyAssignments/MODIFY-DDoSPolicyAssignment.json @@ -0,0 +1,79 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions." + } + }, + "ddosPlanResourceId": { + "type": "string", + "metadata": { + "description": "Provide the resourceId to the DDos Standard Plan in your connectivity subscription." + } + }, + "enforcementMode": { + "type": "string", + "allowedValues": [ + "Default", + "DoNotEnforce" + ], + "defaultValue": "Default" + } + }, + "variables": { + "policyDefinitions": { + "deployDoS": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d" + }, + "policyAssignmentNames": { + "deployDdoS": "Enable-DDoS-VNET", + "description": "Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs.", + "displayName": "Virtual networks should be protected by Azure DDoS Protection Standard" + }, + "rbacNetworkContributor": "4d97b98b-1d4f-4787-a291-c67834d212e7", + "roleAssignmentNames": { + "deployDdoS": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').deployDdoS))]" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "name": "[variables('policyAssignmentNames').deployDdoS]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "[variables('policyAssignmentNames').description]", + "displayName": "[variables('policyAssignmentNames').displayName]", + "policyDefinitionId": "[variables('policyDefinitions').deployDoS]", + "enforcementMode": "[parameters('enforcementMode')]", + "parameters": { + "ddosPlan": { + "value": "[parameters('ddosPlanResourceId')]" + }, + "effect": { + "value": "Modify" + } + } + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployDdoS]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').deployDdoS)]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacNetworkContributor'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deployDdoS), '2019-09-01', 'Full' ).identity.principalId)]" + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/DINE-PrivateDNSZonesPolicySetDefinition.json b/eslzArm/managementGroupTemplates/policyDefinitions/DINE-PrivateDNSZonesPolicySetDefinition.json new file mode 100644 index 0000000000..abc6fb2f0c --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyDefinitions/DINE-PrivateDNSZonesPolicySetDefinition.json @@ -0,0 +1,448 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2019-09-01", + "name": "Deploy-Private-DNS-Zones", + "properties": { + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "displayName": "Configure Azure PaaS services to use private DNS zones", + "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones", + "parameters": { + "azureFilePrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureFilePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureWebPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureWebPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureBatchPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureBatchPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureAppPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureAppPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureAsrPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureAsrPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureIotPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureIotPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureKeyVaultPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureKeyVaultPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureSignalRPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureSignalRPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureAppServicesPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureAppServicesPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureEventGridTopicsPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureEventGridTopicsPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureDiskAccessPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureDiskAccessPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureCognitiveServicesPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureCognitiveServicesPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureIotHubsPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureIotHubsPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureEventGridDomainsPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureEventGridDomainsPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureRedisCachePrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureRedisCachePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureAcrPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureAcrPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureEventHubNamespacePrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureEventHubNamespacePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureMachineLearningWorkspacePrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureMachineLearningWorkspacePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureServiceBusNamespacePrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureServiceBusNamespacePrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "azureCognitiveSearchPrivateDnsZoneId": { + "type": "string", + "metadata": { + "displayName": "azureCognitiveSearchPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, + "effect": { + "type": "string", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "effect1": { + "type": "string", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "deployIfNotExists", + "Disabled" + ], + "defaultValue": "deployIfNotExists" + } + }, + "policyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475", + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-File-Sync", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureFileprivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a", + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Web", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureWebPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8", + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Batch", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureBatchPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df", + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-App", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAppPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2", + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Site-Recovery", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAsrPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8", + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-IoT", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureIotPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4", + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-KeyVault", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureKeyVaultPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e", + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-SignalR", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureSignalRPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452", + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-AppServices", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAppServicesPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483", + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-EventGridTopics", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureEventGridTopicsPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect1')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a", + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-DiskAccess", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureDiskAccessPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091", + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-CognitiveServices", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCognitiveServicesPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02", + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-IoTHubs", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureIotHubsPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect1')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d", + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-EventGridDomains", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureEventGridDomainsPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect1')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2", + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-RedisCache", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureRedisCachePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32", + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-ACR", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureAcrPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6", + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-EventHubNamespace", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureEventHubNamespacePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb", + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-MachineLearningWorkspace", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564", + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-ServiceBusNamespace", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009", + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-CognitiveSearch", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureCognitiveSearchPrivateDnsZoneId')]" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/Deny-PublicEndpointsPolicySetDefinition.json b/eslzArm/managementGroupTemplates/policyDefinitions/Deny-PublicEndpointsPolicySetDefinition.json new file mode 100644 index 0000000000..f39026e036 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyDefinitions/Deny-PublicEndpointsPolicySetDefinition.json @@ -0,0 +1,244 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "Deny-PublicPaaSEndpoints", + "apiVersion": "2020-09-01", + "properties": { + "Description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints", + "DisplayName": "Public network access should be disabled for PaaS services", + "Parameters": { + "CosmosPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for CosmosDB", + "description": "This policy denies that Cosmos database accounts are created with out public network access is disabled." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "KeyVaultPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for KeyVault", + "description": "This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "SqlServerPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access on Azure SQL Database should be disabled", + "description": "This policy denies creation of Sql servers with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "StoragePublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access onStorage accounts should be disabled", + "description": "This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "AKSPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access on AKS API should be disabled", + "description": "This policy denies the creation of Azure Kubernetes Service non-private clusters" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "ACRPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access on Azure Container Registry disabled", + "description": "This policy denies the creation of Azure Container Registires with exposed public endpoints " + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "AFSPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access on Azure File Sync disabled", + "description": "This policy denies the creation of Azure File Sync instances with exposed public endpoints " + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "PostgreSQLFlexPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for PostgreSql Flexible Server", + "description": "This policy denies creation of Postgre SQL Flexible DB accounts with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "MySQLFlexPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for MySQL Flexible Server", + "description": "This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "BatchPublicIpDenyEffect": { + "type": "String", + "metadata": { + "displayName": "Public network access should be disabled for Azure Batch Instances", + "description": "This policy denies creation of Azure Batch Instances with exposed public endpoints" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "PolicyDefinitionGroups": null, + "PolicyDefinitions": [ + { + "policyDefinitionReferenceId": "CosmosDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a", + "parameters": { + "effect": { + "value": "[[parameters('CosmosPublicIpDenyEffect')]" + } + } + }, + { + "policyDefinitionReferenceId": "KeyVaultDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490", + "parameters": { + "effect": { + "value": "[[parameters('KeyVaultPublicIpDenyEffect')]" + } + } + }, + { + "policyDefinitionReferenceId": "SqlServerDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780", + "parameters": { + "effect": { + "value": "[[parameters('SqlServerPublicIpDenyEffect')]" + } + } + }, + { + "policyDefinitionReferenceId": "StorageDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c", + "parameters": { + "effect": { + "value": "[[parameters('StoragePublicIpDenyEffect')]" + } + } + }, + { + "policyDefinitionReferenceId": "AKSDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8", + "parameters": { + "effect": { + "value": "[[parameters('AKSPublicIpDenyEffect')]" + } + } + }, + { + "policyDefinitionReferenceId": "ACRDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f", + "parameters": { + "effect": { + "value": "[[parameters('ACRPublicIpDenyEffect')]" + } + } + }, + { + "policyDefinitionReferenceId": "AFSDenyPaasPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7", + "parameters": { + "effect": { + "value": "[[parameters('AFSPublicIpDenyEffect')]" + } + } + }, + { + "policyDefinitionReferenceId": "PostgreSQLFlexDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLFlexPublicIpDenyEffect')]" + } + } + }, + { + "policyDefinitionReferenceId": "MySQLFlexDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052", + "parameters": { + "effect": { + "value": "[[parameters('MySQLFlexPublicIpDenyEffect')]" + } + } + }, + { + "policyDefinitionReferenceId": "BatchDenyPublicIP", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488", + "parameters": { + "effect": { + "value": "[[parameters('BatchPublicIpDenyEffect')]" + } + } + } + + ] + } + } + ], + "outputs": {} +} diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json new file mode 100644 index 0000000000..c738bb761a --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json @@ -0,0 +1,17459 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "String", + "maxLength": 10, + "metadata": { + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." + } + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "policies": { + "policyDefinitions": [ + { + "properties": { + "description": "Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics enabled.", + "displayName": "Deploy Diagnostic Settings for Container Instances to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ContainerInstance/containerGroups" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ContainerInstance/containerGroups/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-ACI" + }, + { + "properties": { + "description": "Deploy a default budget on all subscriptions under the assigned scope", + "displayName": "Deploy a default budget on all subscriptions under the assigned scope", + "mode": "All", + "parameters": { + "amount": { + "type": "String", + "defaultValue": "1000", + "metadata": { + "description": "The total amount of cost or usage to track with the budget" + } + }, + "timeGrain": { + "type": "String", + "defaultValue": "Monthly", + "allowedValues": [ + "Monthly", + "Quarterly", + "Annually", + "BillingMonth", + "BillingQuarter", + "BillingAnnual" + ], + "metadata": { + "description": "The time covered by a budget. Tracking of the amount will be reset based on the time grain." + } + }, + "firstThreshold": { + "type": "String", + "defaultValue": "90", + "metadata": { + "description": "Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000." + } + }, + "secondThreshold": { + "type": "String", + "defaultValue": "100", + "metadata": { + "description": "Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000." + } + }, + "contactRoles": { + "type": "Array", + "defaultValue": [ + "Owner", + "Contributor" + ], + "metadata": { + "description": "The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded." + } + }, + "contactEmails": { + "type": "Array", + "defaultValue": [], + "metadata": { + "description": "The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded." + } + }, + "contactGroups": { + "type": "Array", + "defaultValue": [], + "metadata": { + "description": "The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings." + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Budget" + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "DeployIfNotExists", + "details": { + "type": "Microsoft.Consumption/budgets", + "deploymentScope": "Subscription", + "existenceScope": "Subscription", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Consumption/budgets/amount", + "equals": "[[parameters('amount')]" + }, + { + "field": "Microsoft.Consumption/budgets/timeGrain", + "equals": "[[parameters('timeGrain')]" + }, + { + "field": "Microsoft.Consumption/budgets/category", + "equals": "Cost" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "location": "northeurope", + "properties": { + "mode": "Incremental", + "parameters": { + "amount": { + "value": "[[parameters('amount')]" + }, + "timeGrain": { + "value": "[[parameters('timeGrain')]" + }, + "firstThreshold": { + "value": "[[parameters('firstThreshold')]" + }, + "secondThreshold": { + "value": "[[parameters('secondThreshold')]" + }, + "contactEmails": { + "value": "[[parameters('contactEmails')]" + }, + "contactRoles": { + "value": "[[parameters('contactRoles')]" + }, + "contactGroups": { + "value": "[[parameters('contactGroups')]" + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "amount": { + "type": "String" + }, + "timeGrain": { + "type": "String" + }, + "firstThreshold": { + "type": "String" + }, + "secondThreshold": { + "type": "String" + }, + "contactEmails": { + "type": "Array" + }, + "contactRoles": { + "type": "Array" + }, + "contactGroups": { + "type": "Array" + }, + "startDate": { + "type": "String", + "defaultValue": "[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]" + } + }, + "resources": [ + { + "type": "Microsoft.Consumption/budgets", + "apiVersion": "2019-10-01", + "name": "default-sandbox-budget", + "properties": { + "timePeriod": { + "startDate": "[[parameters('startDate')]" + }, + "timeGrain": "[[parameters('timeGrain')]", + "amount": "[[parameters('amount')]", + "category": "Cost", + "notifications": { + "NotificationForExceededBudget1": { + "enabled": true, + "operator": "GreaterThan", + "threshold": "[[parameters('firstThreshold')]", + "contactEmails": "[[parameters('contactEmails')]", + "contactRoles": "[[parameters('contactRoles')]", + "contactGroups": "[[parameters('contactGroups')]" + }, + "NotificationForExceededBudget2": { + "enabled": true, + "operator": "GreaterThan", + "threshold": "[[parameters('secondThreshold')]", + "contactEmails": "[[parameters('contactEmails')]", + "contactRoles": "[[parameters('contactRoles')]", + "contactGroups": "[[parameters('contactGroups')]" + } + } + } + } + ] + } + } + } + } + } + } + }, + "name": "Deploy-Budget" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics enabled.", + "displayName": "Deploy Diagnostic Settings for Container Registry to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ContainerRegistry/registries" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ContainerRegistry/registries/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "ContainerRegistryLoginEvents", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "ContainerRegistryRepositoryEvents", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-ACR" + }, + { + "properties": { + "description": "This policy deploys virtual network and peer to the hub", + "displayName": "Deploys virtual network peering to hub", + "mode": "All", + "parameters": { + "vNetName": { + "type": "String", + "metadata": { + "displayName": "vNetName", + "description": "Name of the landing zone vNet" + } + }, + "vNetRgName": { + "type": "String", + "metadata": { + "displayName": "vNetRgName", + "description": "Name of the landing zone vNet RG" + } + }, + "vNetLocation": { + "type": "String", + "metadata": { + "displayName": "vNetLocation", + "description": "Location for the vNet" + } + }, + "vNetCidrRange": { + "type": "String", + "metadata": { + "displayName": "vNetCidrRange", + "description": "CIDR Range for the vNet" + } + }, + "hubResourceId": { + "type": "String", + "metadata": { + "displayName": "hubResourceId", + "description": "Resource ID for the HUB vNet" + } + }, + "dnsServers": { + "type": "Array", + "metadata": { + "displayName": "DNSServers", + "description": "Default domain servers for the vNET." + }, + "defaultValue": [] + } + }, + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Network/virtualNetworks", + "name": "[[parameters('vNetName')]", + "deploymentScope": "Subscription", + "existenceScope": "ResourceGroup", + "ResourceGroupName": "[[parameters('vNetRgName')]", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "existenceCondition": { + "allOf": [ + { + "field": "name", + "like": "[[parameters('vNetName')]" + }, + { + "field": "location", + "equals": "[[parameters('vNetLocation')]" + } + ] + }, + "deployment": { + "location": "northeurope", + "properties": { + "mode": "Incremental", + "parameters": { + "vNetRgName": { + "value": "[[parameters('vNetRgName')]" + }, + "vNetName": { + "value": "[[parameters('vNetName')]" + }, + "vNetLocation": { + "value": "[[parameters('vNetLocation')]" + }, + "vNetCidrRange": { + "value": "[[parameters('vNetCidrRange')]" + }, + "hubResourceId": { + "value": "[[parameters('hubResourceId')]" + }, + "dnsServers": { + "value": "[[parameters('dnsServers')]" + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "vNetRgName": { + "type": "String" + }, + "vNetName": { + "type": "String" + }, + "vNetLocation": { + "type": "String" + }, + "vNetCidrRange": { + "type": "String" + }, + "vNetPeerUseRemoteGateway": { + "type": "bool", + "defaultValue": false + }, + "hubResourceId": { + "type": "String" + }, + "dnsServers": { + "type": "Array", + "defaultValue": [] + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[[concat('es-lz-vnet-',substring(uniqueString(subscription().id),0,6),'-rg')]", + "location": "[[parameters('vNetLocation')]", + "dependsOn": [], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2020-06-01", + "name": "[[parameters('vNetRgName')]", + "location": "[[parameters('vNetLocation')]", + "properties": {} + }, + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2020-06-01", + "name": "NetworkWatcherRG", + "location": "[[parameters('vNetLocation')]", + "properties": {} + } + ], + "outputs": {} + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[[concat('es-lz-vnet-',substring(uniqueString(subscription().id),0,6))]", + "dependsOn": [ + "[[concat('es-lz-vnet-',substring(uniqueString(subscription().id),0,6),'-rg')]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2020-06-01", + "name": "[[parameters('vNetName')]", + "location": "[[parameters('vNetLocation')]", + "dependsOn": [], + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[[parameters('vNetCidrRange')]" + ] + }, + "dhcpOptions": { + "dnsServers": "[[parameters('dnsServers')]" + } + } + }, + { + "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", + "apiVersion": "2020-05-01", + "name": "[[concat(parameters('vNetName'), '/peerToHub')]", + "dependsOn": [ + "[[parameters('vNetName')]" + ], + "properties": { + "remoteVirtualNetwork": { + "id": "[[parameters('hubResourceId')]" + }, + "allowVirtualNetworkAccess": true, + "allowForwardedTraffic": true, + "allowGatewayTransit": true, + "useRemoteGateways": "[[parameters('vNetPeerUseRemoteGateway')]" + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[[concat('es-lz-hub-',substring(uniqueString(subscription().id),0,6),'-peering')]", + "subscriptionId": "[[split(parameters('hubResourceId'),'/')[2]]", + "resourceGroup": "[[split(parameters('hubResourceId'),'/')[4]]", + "dependsOn": [ + "[[parameters('vNetName')]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "remoteVirtualNetwork": { + "type": "String", + "defaultValue": false + }, + "hubName": { + "type": "String", + "defaultValue": false + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", + "name": "[[[concat(parameters('hubName'),'/',last(split(parameters('remoteVirtualNetwork'),'/')))]", + "apiVersion": "2020-05-01", + "properties": { + "allowVirtualNetworkAccess": true, + "allowForwardedTraffic": true, + "allowGatewayTransit": true, + "useRemoteGateways": false, + "remoteVirtualNetwork": { + "id": "[[[parameters('remoteVirtualNetwork')]" + } + } + } + ], + "outputs": {} + }, + "parameters": { + "remoteVirtualNetwork": { + "value": "[[concat(subscription().id,'/resourceGroups/',parameters('vNetRgName'), '/providers/','Microsoft.Network/virtualNetworks/', parameters('vNetName'))]" + }, + "hubName": { + "value": "[[split(parameters('hubResourceId'),'/')[8]]" + } + } + } + } + ], + "outputs": {} + } + }, + "resourceGroup": "[[parameters('vNetRgName')]" + } + ], + "outputs": {} + } + } + } + } + } + } + }, + "name": "Deploy-VNET-HubSpoke" + }, + { + "properties": { + "displayName": "Deploy a user-defined route to a VNET with specific routes.", + "policyType": "Custom", + "mode": "Indexed", + "description": "Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.", + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "parameters": { + "defaultRoute": { + "type": "String", + "metadata": { + "displayName": "Default route to add into UDR", + "description": "Policy will deploy a default route table to a vnet" + } + }, + "vnetRegion": { + "type": "String", + "metadata": { + "displayName": "VNet Region", + "description": "Regional VNet hub location", + "strongType": "location" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + }, + { + "field": "location", + "equals": "[[parameters('vnetRegion')]" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Network/routeTables", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Network/routeTables/routes[*].nextHopIpAddress", + "equals": "[[parameters('defaultRoute')]" + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "parameters": { + "udrName": { + "value": "[[concat(field('name'),'-udr')]" + }, + "udrLocation": { + "value": "[[field('location')]" + }, + "defaultRoute": { + "value": "[[parameters('defaultRoute')]" + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "udrName": { + "type": "string" + }, + "udrLocation": { + "type": "string" + }, + "defaultRoute": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/routeTables", + "name": "[[parameters('udrName')]", + "apiVersion": "2020-08-01", + "location": "[[parameters('udrLocation')]", + "properties": { + "routes": [ + { + "name": "AzureFirewallRoute", + "properties": { + "addressPrefix": "0.0.0.0/0", + "nextHopType": "VirtualAppliance", + "nextHopIpAddress": "[[parameters('defaultRoute')]" + } + } + ] + } + } + ], + "outputs": {} + } + } + } + } + } + } + }, + "name": "Deploy-Default-Udr" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.AnalysisServices/servers" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.AnalysisServices/servers/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Engine", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "Service", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-AnalysisService" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for API Management to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ApiManagement/service" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ApiManagement/service/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "GatewayLogs", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-APIMgmt" + }, + { + "properties": { + "description": "This policy enables you to restrict that Application Gateways is always deployed with WAF enabled", + "displayName": "Application Gateway should be deployed with WAF enabled", + "mode": "Indexed", + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/applicationGateways" + }, + { + "field": "Microsoft.Network/applicationGateways/sku.name", + "notequals": "WAF_v2" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-AppGW-Without-WAF" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/applicationGateways" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/applicationGateways/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "ApplicationGatewayAccessLog", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "ApplicationGatewayPerformanceLog", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "ApplicationGatewayFirewallLog", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-ApplicationGateway" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Web/serverfarms" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Web/serverfarms/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-WebServerFarm" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for App Service to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "value": "[[field('kind')]", + "notContains": "functionapp" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Web/sites/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "AppServiceAntivirusScanAuditLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AppServiceHTTPLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AppServiceConsoleLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AppServiceHTTPLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AppServiceAppLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AppServiceFileAuditLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AppServiceAuditLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AppServiceIPSecAuditLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AppServicePlatformLogs", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-Website" + }, + { + "properties": { + "description": "Deploy Azure Security Center Security Contacts", + "displayName": "Deploy Azure Security Center Security Contacts", + "mode": "All", + "parameters": { + "emailSecurityContact": { + "type": "string", + "metadata": { + "displayName": "Security contacts email address", + "description": "Provide email address for Azure Security Center contact details" + } + }, + "effect": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Security Center" + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Security/securityContacts", + "deploymentScope": "Subscription", + "existenceScope": "Subscription", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Security/securityContacts/email", + "contains": "[[parameters('emailSecurityContact')]" + }, + { + "field": "type", + "equals": "Microsoft.Security/securityContacts" + }, + { + "field": "Microsoft.Security/securityContacts/alertNotifications", + "equals": "On" + }, + { + "field": "Microsoft.Security/securityContacts/alertsToAdmins", + "equals": "On" + } + ] + }, + "deployment": { + "location": "northeurope", + "properties": { + "mode": "incremental", + "parameters": { + "emailSecurityContact": { + "value": "[[parameters('emailSecurityContact')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "emailSecurityContact": { + "type": "string", + "metadata": { + "description": "Security contacts email address" + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Security/securityContacts", + "name": "default", + "apiVersion": "2020-01-01-preview", + "properties": { + "emails": "[[parameters('emailSecurityContact')]", + "notificationsByRole": { + "state": "On", + "roles": [ + "Owner" + ] + }, + "alertNotifications": { + "state": "On", + "minimalSeverity": "High" + } + } + } + ], + "outputs": {} + } + } + } + } + } + } + }, + "name": "Deploy-ASC-SecurityContacts" + }, + { + "properties": { + "description": "Deploy the Azure Defender settings in Azure Security Center for Virtual Machines", + "displayName": "Deploy Azure Defender for Virtual Machines", + "mode": "All", + "parameters": { + "pricingTier": { + "type": "string", + "metadata": { + "displayName": "Azure Defender pricing tier", + "description": "Azure Defender pricing tier" + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "effect": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Security Center" + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Security/pricings", + "name": "VirtualMachines", + "deploymentScope": "Subscription", + "existenceScope": "Subscription", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Security/pricings/pricingTier", + "equals": "[[parameters('pricingTier')]" + }, + { + "field": "type", + "equals": "Microsoft.Security/pricings" + } + ] + }, + "deployment": { + "location": "northeurope", + "properties": { + "mode": "incremental", + "parameters": { + "pricingTier": { + "value": "[[parameters('pricingTier')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "pricingTier": { + "type": "string", + "metadata": { + "description": "Azure Defender pricing tier" + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "VirtualMachines", + "properties": { + "pricingTier": "[[parameters('pricingTier')]" + } + } + ], + "outputs": {} + } + } + } + } + } + } + }, + "name": "Deploy-ASC-Defender-VMs" + }, + { + "properties": { + "description": "Deploy the Azure Defender settings in Azure Security Center for Azure Sql Databases", + "displayName": "Deploy Azure Defender for Azure Sql Databases", + "mode": "All", + "parameters": { + "pricingTier": { + "type": "string", + "metadata": { + "displayName": "Azure Defender pricing tier", + "description": "Azure Defender pricing tier" + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "effect": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Security Center" + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Security/pricings", + "name": "SqlServers", + "deploymentScope": "Subscription", + "existenceScope": "Subscription", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Security/pricings/pricingTier", + "equals": "[[parameters('pricingTier')]" + }, + { + "field": "type", + "equals": "Microsoft.Security/pricings" + } + ] + }, + "deployment": { + "location": "northeurope", + "properties": { + "mode": "incremental", + "parameters": { + "pricingTier": { + "value": "[[parameters('pricingTier')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "pricingTier": { + "type": "string", + "metadata": { + "description": "Azure Defender pricing tier" + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "SqlServers", + "properties": { + "pricingTier": "[[parameters('pricingTier')]" + } + } + ], + "outputs": {} + } + } + } + } + } + } + }, + "name": "Deploy-ASC-Defender-Sql" + }, + { + "properties": { + "description": "Deploy the Azure Defender settings in Azure Security Center for Azure App Services", + "displayName": "Deploy Azure Defender for Azure App Services", + "mode": "All", + "parameters": { + "pricingTier": { + "type": "string", + "metadata": { + "displayName": "Azure Defender pricing tier", + "description": "Azure Defender pricing tier" + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "effect": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Security Center" + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Security/pricings", + "name": "AppServices", + "deploymentScope": "Subscription", + "existenceScope": "Subscription", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Security/pricings/pricingTier", + "equals": "[[parameters('pricingTier')]" + }, + { + "field": "type", + "equals": "Microsoft.Security/pricings" + } + ] + }, + "deployment": { + "location": "northeurope", + "properties": { + "mode": "incremental", + "parameters": { + "pricingTier": { + "value": "[[parameters('pricingTier')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "pricingTier": { + "type": "string", + "metadata": { + "description": "Azure Defender pricing tier" + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "AppServices", + "properties": { + "pricingTier": "[[parameters('pricingTier')]" + } + } + ], + "outputs": {} + } + } + } + } + } + } + }, + "name": "Deploy-ASC-Defender-AppSrv" + }, + { + "properties": { + "description": "Deploy the Azure Defender settings in Azure Security Center for Storage Accounts", + "displayName": "Deploy Azure Defender for Storage Accounts", + "mode": "All", + "parameters": { + "pricingTier": { + "type": "string", + "metadata": { + "displayName": "Azure Defender pricing tier", + "description": "Azure Defender pricing tier" + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "effect": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Security Center" + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Security/pricings", + "name": "StorageAccounts", + "deploymentScope": "Subscription", + "existenceScope": "Subscription", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Security/pricings/pricingTier", + "equals": "[[parameters('pricingTier')]" + }, + { + "field": "type", + "equals": "Microsoft.Security/pricings" + } + ] + }, + "deployment": { + "location": "northeurope", + "properties": { + "mode": "incremental", + "parameters": { + "pricingTier": { + "value": "[[parameters('pricingTier')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "pricingTier": { + "type": "string", + "metadata": { + "description": "Azure Defender pricing tier" + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "StorageAccounts", + "properties": { + "pricingTier": "[[parameters('pricingTier')]" + } + } + ], + "outputs": {} + } + } + } + } + } + } + }, + "name": "Deploy-ASC-Defender-SA" + }, + { + "properties": { + "description": "Deploy the Azure Defender settings in Sql Server on Virtual Machines", + "displayName": "Deploy Azure Defender for Sql on Virtual Machines", + "mode": "All", + "parameters": { + "pricingTier": { + "type": "string", + "metadata": { + "displayName": "Azure Defender pricing tier", + "description": "Azure Defender pricing tier" + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "effect": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Security Center" + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Security/pricings", + "name": "SqlServerVirtualMachines", + "deploymentScope": "Subscription", + "existenceScope": "Subscription", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Security/pricings/pricingTier", + "equals": "[[parameters('pricingTier')]" + }, + { + "field": "type", + "equals": "Microsoft.Security/pricings" + } + ] + }, + "deployment": { + "location": "northeurope", + "properties": { + "mode": "incremental", + "parameters": { + "pricingTier": { + "value": "[[parameters('pricingTier')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "pricingTier": { + "type": "string", + "metadata": { + "description": "Azure Defender pricing tier" + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "SqlServerVirtualMachines", + "properties": { + "pricingTier": "[[parameters('pricingTier')]" + } + } + ], + "outputs": {} + } + } + } + } + } + } + }, + "name": "Deploy-ASC-Defender-SQLVM" + }, + { + "properties": { + "description": "Deploy the Azure Defender settings for AKS", + "displayName": "Deploy Azure Defender for AKS", + "mode": "All", + "parameters": { + "pricingTier": { + "type": "string", + "metadata": { + "displayName": "Azure Defender pricing tier", + "description": "Azure Defender pricing tier" + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "effect": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Security Center" + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Security/pricings", + "name": "KubernetesService", + "deploymentScope": "Subscription", + "existenceScope": "Subscription", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Security/pricings/pricingTier", + "equals": "[[parameters('pricingTier')]" + }, + { + "field": "type", + "equals": "Microsoft.Security/pricings" + } + ] + }, + "deployment": { + "location": "northeurope", + "properties": { + "mode": "incremental", + "parameters": { + "pricingTier": { + "value": "[[parameters('pricingTier')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "pricingTier": { + "type": "string", + "metadata": { + "description": "Azure Defender pricing tier" + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "KubernetesService", + "properties": { + "pricingTier": "[[parameters('pricingTier')]" + } + } + ], + "outputs": {} + } + } + } + } + } + } + }, + "name": "Deploy-ASC-Defender-AKS" + }, + { + "properties": { + "description": "Deploy the Azure Defender settings for Azure Container Registry", + "displayName": "Deploy Azure Defender for ACR", + "mode": "All", + "parameters": { + "pricingTier": { + "type": "string", + "metadata": { + "displayName": "Azure Defender pricing tier", + "description": "Azure Defender pricing tier" + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "effect": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Security Center" + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Security/pricings", + "name": "ContainerRegistry", + "deploymentScope": "Subscription", + "existenceScope": "Subscription", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Security/pricings/pricingTier", + "equals": "[[parameters('pricingTier')]" + }, + { + "field": "type", + "equals": "Microsoft.Security/pricings" + } + ] + }, + "deployment": { + "location": "northeurope", + "properties": { + "mode": "incremental", + "parameters": { + "pricingTier": { + "value": "[[parameters('pricingTier')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "pricingTier": { + "type": "string", + "metadata": { + "description": "Azure Defender pricing tier" + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "ContainerRegistry", + "properties": { + "pricingTier": "[[parameters('pricingTier')]" + } + } + ], + "outputs": {} + } + } + } + } + } + } + }, + "name": "Deploy-ASC-Defender-ACR" + }, + { + "properties": { + "description": "Deploy the Azure Defender settings for Azure Key Vault", + "displayName": "Deploy Azure Defender for AKV", + "mode": "All", + "parameters": { + "pricingTier": { + "type": "string", + "metadata": { + "displayName": "Azure Defender pricing tier", + "description": "Azure Defender pricing tier" + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "effect": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Security Center" + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Security/pricings", + "name": "KeyVaults", + "deploymentScope": "Subscription", + "existenceScope": "Subscription", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Security/pricings/pricingTier", + "equals": "[[parameters('pricingTier')]" + }, + { + "field": "type", + "equals": "Microsoft.Security/pricings" + } + ] + }, + "deployment": { + "location": "northeurope", + "properties": { + "mode": "incremental", + "parameters": { + "pricingTier": { + "value": "[[parameters('pricingTier')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "pricingTier": { + "type": "string", + "metadata": { + "description": "Azure Defender pricing tier" + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "KeyVaults", + "properties": { + "pricingTier": "[[parameters('pricingTier')]" + } + } + ], + "outputs": {} + } + } + } + } + } + } + }, + "name": "Deploy-ASC-Defender-AKV" + }, + { + "properties": { + "description": "Deploy the Azure Defender settings for DNS", + "displayName": "Deploy Azure Defender for DNS", + "mode": "All", + "parameters": { + "pricingTier": { + "type": "string", + "metadata": { + "displayName": "Azure Defender pricing tier", + "description": "Azure Defender pricing tier" + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "effect": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Security Center" + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Security/pricings", + "name": "Dns", + "deploymentScope": "Subscription", + "existenceScope": "Subscription", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Security/pricings/pricingTier", + "equals": "[[parameters('pricingTier')]" + }, + { + "field": "type", + "equals": "Microsoft.Security/pricings" + } + ] + }, + "deployment": { + "location": "northeurope", + "properties": { + "mode": "incremental", + "parameters": { + "pricingTier": { + "value": "[[parameters('pricingTier')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "pricingTier": { + "type": "string", + "metadata": { + "description": "Azure Defender pricing tier" + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "Dns", + "properties": { + "pricingTier": "[[parameters('pricingTier')]" + } + } + ], + "outputs": {} + } + } + } + } + } + } + }, + "name": "Deploy-ASC-Defender-DNS" + }, + { + "properties": { + "description": "Deploy the Azure Defender settings for Azure Resource Manager", + "displayName": "Deploy Azure Defender for ARM", + "mode": "All", + "parameters": { + "pricingTier": { + "type": "string", + "metadata": { + "displayName": "Azure Defender pricing tier", + "description": "Azure Defender pricing tier" + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "effect": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Security Center" + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Security/pricings", + "name": "Arm", + "deploymentScope": "Subscription", + "existenceScope": "Subscription", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Security/pricings/pricingTier", + "equals": "[[parameters('pricingTier')]" + }, + { + "field": "type", + "equals": "Microsoft.Security/pricings" + } + ] + }, + "deployment": { + "location": "northeurope", + "properties": { + "mode": "incremental", + "parameters": { + "pricingTier": { + "value": "[[parameters('pricingTier')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "pricingTier": { + "type": "string", + "metadata": { + "description": "Azure Defender pricing tier" + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "Arm", + "properties": { + "pricingTier": "[[parameters('pricingTier')]" + } + } + ], + "outputs": {} + } + } + } + } + } + } + }, + "name": "Deploy-ASC-Defender-ARM" + }, + { + "properties": { + "description": "This policy denies the creation of child resources on the Automation Account", + "displayName": "No child resources in Automation Account", + "mode": "Indexed", + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Automation" + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "in": [ + "Microsoft.Automation/automationAccounts/runbooks", + "Microsoft.Automation/automationAccounts/variables", + "Microsoft.Automation/automationAccounts/modules", + "Microsoft.Automation/automationAccounts/credentials", + "Microsoft.Automation/automationAccounts/connections", + "Microsoft.Automation/automationAccounts/certificates" + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-AA-child-resources" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for Automation to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Automation/automationAccounts" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Automation/automationAccounts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "category": "JobLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "JobStreams", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "DscNodeStatus", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-AA" + }, + { + "properties": { + "displayName": "RDP access from the Internet should be blocked", + "description": "This policy denies any network security rule that allows RDP access from Internet", + "mode": "All", + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups/securityRules" + }, + { + "allOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/access", + "equals": "Allow" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction", + "equals": "Inbound" + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", + "equals": "3389" + }, + { + "value": "[[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389)), 'false')]", + "equals": "true" + }, + { + "count": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "where": { + "value": "[[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389)) , 'false')]", + "equals": "true" + } + }, + "greater": 0 + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", + "notEquals": "3389" + } + } + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", + "equals": "*" + }, + { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", + "equals": "Internet" + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", + "notEquals": "*" + } + }, + { + "not": { + "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]", + "notEquals": "Internet" + } + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-RDP-From-Internet" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Cdn/profiles/endpoints" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Cdn/profiles/endpoints/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [], + "logs": [ + { + "category": "CoreAnalytics", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('fullName')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-CDNEndpoints" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.CognitiveServices/accounts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Audit", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "RequestResponse", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "Trace", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-CognitiveServices" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DocumentDB/databaseAccounts" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "Requests", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "DataPlaneRequests", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "MongoRequests", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "QueryRuntimeStatistics", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "PartitionKeyStatistics", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "PartitionKeyRUConsumption", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "ControlPlaneRequests", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "CassandraRequests", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "GremlinRequests", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-CosmosDB" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for Databricks to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Databricks/workspaces" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Databricks/workspaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "logs": [ + { + "category": "dbfs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "clusters", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "accounts", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "jobs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "notebook", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "ssh", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "workspace", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "secrets", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "sqlPermissions", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "instancePools", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-Databricks" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for Data Factory to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DataFactory/factories" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DataFactory/factories/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "ActivityRuns", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "PipelineRuns", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "TriggerRuns", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "SSISPackageEventMessages", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "SSISPackageExecutableStatistics", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "SSISPackageEventMessageContext", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "SSISPackageExecutionComponentPhases", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "SSISPackageExecutionDataStatistics", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "SSISIntegrationRuntimeLogs", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-DataFactory" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DataLakeAnalytics/accounts" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Audit", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "Requests", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-DLAnalytics" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.EventGrid/eventSubscriptions" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.EventGrid/eventSubscriptions/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-EventGridSub" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.EventGrid/topics" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.EventGrid/topics/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "DeliveryFailures", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "PublishFailures", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-EventGridTopic" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.EventGrid/systemTopics" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.EventGrid/systemTopics/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "DeliveryFailures", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-EventGridSystemTopic" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/expressRouteCircuits" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/expressRouteCircuits/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "PeeringRouteLog", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-ExpressRoute" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for Firewall to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/azureFirewalls" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/azureFirewalls/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "AzureFirewallApplicationRule", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AzureFirewallNetworkRule", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AzureFirewallDnsProxy", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-Firewall" + }, + { + "properties": { + "description": "Deploys Azure Firewall Manager policy in subscription where the policy is assigned.", + "displayName": "Deploy Azure Firewall Manager policy in the subscription", + "mode": "All", + "parameters": { + "fwpolicy": { + "type": "Object", + "metadata": { + "displayName": "fwpolicy", + "description": "Object describing Azure Firewall Policy" + }, + "defaultValue": {} + }, + "fwPolicyRegion": { + "type": "String", + "metadata": { + "displayName": "fwPolicyRegion", + "description": "Select Azure region for Azure Firewall Policy", + "strongType": "location" + } + }, + "rgName": { + "type": "String", + "metadata": { + "displayName": "rgName", + "description": "Provide name for resource group." + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Network/firewallPolicies", + "deploymentScope": "Subscription", + "existenceScope": "ResourceGroup", + "resourceGroupName": "[[parameters('rgName')]", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "location": "northeurope", + "properties": { + "mode": "Incremental", + "parameters": { + "rgName": { + "value": "[[parameters('rgName')]" + }, + "fwPolicy": { + "value": "[[parameters('fwPolicy')]" + }, + "fwPolicyRegion": { + "value": "[[parameters('fwPolicyRegion')]" + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "rgName": { + "type": "String" + }, + "fwPolicy": { + "type": "object" + }, + "fwPolicyRegion": { + "type": "String" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2018-05-01", + "name": "[[parameters('rgName')]", + "location": "[[deployment().location]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2018-05-01", + "name": "fwpolicies", + "resourceGroup": "[[parameters('rgName')]", + "dependsOn": [ + "[[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/firewallPolicies", + "apiVersion": "2019-09-01", + "name": "[[parameters('fwpolicy').firewallPolicyName]", + "location": "[[parameters('fwpolicy').location]", + "dependsOn": [], + "tags": {}, + "properties": {}, + "resources": [ + { + "type": "ruleGroups", + "apiVersion": "2019-09-01", + "name": "[[parameters('fwpolicy').ruleGroups.name]", + "dependsOn": [ + "[[resourceId('Microsoft.Network/firewallPolicies',parameters('fwpolicy').firewallPolicyName)]" + ], + "properties": { + "priority": "[[parameters('fwpolicy').ruleGroups.properties.priority]", + "rules": "[[parameters('fwpolicy').ruleGroups.properties.rules]" + } + } + ] + } + ], + "outputs": {} + } + } + } + ], + "outputs": {} + } + } + } + } + } + } + }, + "name": "Deploy-FirewallPolicy" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for Front Door to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/frontDoors" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/frontDoors/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "FrontdoorAccessLog", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "FrontdoorWebApplicationFirewallLog", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-FrontDoor" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "value": "[[field('kind')]", + "contains": "functionapp" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Web/sites/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "FunctionAppLogs", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-Function" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for HDInsight to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.HDInsight/clusters" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.HDInsight/clusters/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-HDInsight" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Devices/IotHubs" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Devices/IotHubs/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Connections", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "DeviceTelemetry", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "C2DCommands", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "DeviceIdentityOperations", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "FileUploadOperations", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "Routes", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "D2CTwinOperations", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "C2DTwinOperations", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "TwinQueries", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "JobsOperations", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "DirectMethods", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "DistributedTracing", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "Configurations", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "DeviceStreams", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-iotHub" + }, + { + "properties": { + "description": "This policy enables you to ensure when a Key Vault is created with out soft delete enabled it will be added.", + "displayName": "KeyVault SoftDelete should be enabled", + "mode": "Indexed", + "parameters": {}, + "metadata": { + "version": "1.0.0", + "category": "Key Vault" + }, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.KeyVault/vaults" + }, + { + "field": "Microsoft.KeyVault/vaults/enableSoftDelete", + "notEquals": true + } + ] + } + ] + }, + "then": { + "effect": "append", + "details": [ + { + "field": "Microsoft.KeyVault/vaults/enableSoftDelete", + "value": true + } + ] + } + } + }, + "name": "Append-KV-SoftDelete" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/loadBalancers" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/loadBalancers/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "category": "LoadBalancerAlertEvent", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "LoadBalancerProbeHealthStatus", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-LoadBalancer" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Logic/integrationAccounts" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Logic/integrationAccounts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [], + "logs": [ + { + "category": "IntegrationAccountTrackingEvents", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-LogicAppsISE" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for MariaDB to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DBforMariaDB/servers" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforMariaDB/servers/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "MySqlSlowLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "MySqlAuditLogs", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-MariaDB" + }, + { + "properties": { + "description": "This policy denies the creation of Maria DB accounts with exposed public endpoints", + "displayName": "Public network access should be disabled for MariaDB", + "mode": "Indexed", + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "SQL" + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforMariaDB/servers" + }, + { + "field": "Microsoft.DBforMariaDB/servers/publicNetworkAccess", + "notequals": "Disabled" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-PublicEndpoint-MariaDB" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.MachineLearningServices/workspaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "Run", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + }, + { + "category": "Model", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": true + } + }, + { + "category": "Quota", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + }, + { + "category": "Resource", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "AmlComputeClusterEvent", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AmlComputeClusterNodeEvent", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AmlComputeJobEvent", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AmlComputeCpuGpuUtilization", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AmlRunStatusChangedEvent", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-MlWorkspace" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DBforMySQL/servers" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforMySQL/servers/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "MySqlSlowLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "MySqlAuditLogs", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-MySQL" + }, + { + "properties": { + "description": "Deploys an Azure DDoS Protection Standard plan", + "displayName": "Deploy an Azure DDoS Protection Standard plan", + "mode": "All", + "parameters": { + "ddosName": { + "type": "String", + "metadata": { + "displayName": "ddosName", + "description": "DDoSVnet" + } + }, + "ddosRegion": { + "type": "String", + "metadata": { + "displayName": "ddosRegion", + "description": "DDoSVnet location", + "strongType": "location" + } + }, + "rgName": { + "type": "String", + "metadata": { + "displayName": "rgName", + "description": "Provide name for resource group." + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Network/ddosProtectionPlans", + "deploymentScope": "Subscription", + "existenceScope": "ResourceGroup", + "resourceGroupName": "[[parameters('rgName')]", + "name": "[[parameters('ddosName')]", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" + ], + "deployment": { + "location": "northeurope", + "properties": { + "mode": "Incremental", + "parameters": { + "rgName": { + "value": "[[parameters('rgName')]" + }, + "ddosname": { + "value": "[[parameters('ddosname')]" + }, + "ddosregion": { + "value": "[[parameters('ddosRegion')]" + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "rgName": { + "type": "String" + }, + "ddosname": { + "type": "String" + }, + "ddosRegion": { + "type": "String" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2018-05-01", + "name": "[[parameters('rgName')]", + "location": "[[deployment().location]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2018-05-01", + "name": "ddosprotection", + "resourceGroup": "[[parameters('rgName')]", + "dependsOn": [ + "[[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "type": "Microsoft.Network/ddosProtectionPlans", + "apiVersion": "2019-12-01", + "name": "[[parameters('ddosName')]", + "location": "[[parameters('ddosRegion')]", + "properties": {} + } + ], + "outputs": {} + } + } + } + ], + "outputs": {} + } + } + } + } + } + } + }, + "name": "Deploy-DDoSProtection" + }, + { + "properties": { + "description": "This policy denies the creation of vNet Peerings under the assigned scope.", + "displayName": "Deny vNet peering ", + "mode": "Indexed", + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings" + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-VNet-Peering" + }, + { + "properties": { + "description": "This policy denies the creation of a private DNS in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription", + "displayName": "Deny the creation of private DNS", + "mode": "Indexed", + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/privateDnsZones" + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-Private-DNS-Zones" + }, + { + "properties": { + "description": "This policy denies creation of Public IPs under the assigned scope.", + "displayName": "Deny the creation of public IP", + "mode": "Indexed", + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/publicIPAddresses" + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-PublicIP" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/networkInterfaces" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/networkInterfaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-NIC" + }, + { + "properties": { + "description": "Deploys NSG flow logs and traffic analytics to Log Analytics with a specfied retention period.", + "displayName": "Deploys NSG flow logs and traffic analytics to Log Analytics", + "mode": "Indexed", + "parameters": { + "retention": { + "type": "Integer", + "metadata": { + "displayName": "Retention" + }, + "defaultValue": 5 + }, + "interval": { + "type": "Integer", + "metadata": { + "displayName": "Traffic Analytics processing interval mins (10/60)" + }, + "defaultValue": 60 + }, + "workspace": { + "type": "String", + "metadata": { + "strongType": "omsWorkspace", + "displayName": "Resource ID of Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID." + }, + "defaultValue": "" + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "metadata": { + "version": "1.1.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Network/networkWatchers/flowlogs", + "name": "[[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id'))), 'null/null', concat(split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[8], '/', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[10]))]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Network/networkWatchers/flowLogs/enabled", + "equals": "true" + } + ] + }, + "existenceScope": "resourceGroup", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12", + "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "resourceGroupName": "[[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), 'NetworkWatcherRG', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[4])]", + "deploymentScope": "subscription", + "deployment": { + "location": "northeurope", + "properties": { + "mode": "Incremental", + "parameters": { + "location": { + "value": "[[field('location')]" + }, + "networkSecurityGroup": { + "value": "[[field('id')]" + }, + "workspace": { + "value": "[[parameters('workspace')]" + }, + "retention": { + "value": "[[parameters('retention')]" + }, + "interval": { + "value": "[[parameters('interval')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String" + }, + "networkSecurityGroup": { + "type": "String" + }, + "workspace": { + "type": "String" + }, + "retention": { + "type": "int" + }, + "interval": { + "type": "int" + }, + "time": { + "type": "String", + "defaultValue": "[[utcNow()]" + } + }, + "variables": { + "resourceGroupName": "[[split(parameters('networkSecurityGroup'), '/')[4]]", + "securityGroupName": "[[split(parameters('networkSecurityGroup'), '/')[8]]", + "storageAccountName": "[[concat('es', uniqueString(variables('securityGroupName'), parameters('time')))]" + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]", + "resourceGroup": "[[variables('resourceGroupName')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[[variables('storageAccountName')]", + "location": "[[parameters('location')]", + "properties": {}, + "kind": "StorageV2", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[[concat('NetworkWatcherRG', '.', variables('securityGroupName'))]", + "resourceGroup": "NetworkWatcherRG", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Network/networkWatchers", + "apiVersion": "2020-05-01", + "name": "[[concat('NetworkWatcher_', toLower(parameters('location')))]", + "location": "[[parameters('location')]", + "properties": {}, + "resources": [ + { + "type": "flowLogs", + "apiVersion": "2019-11-01", + "name": "[[concat(variables('securityGroupName'), '-Network-flowlog')]", + "location": "[[parameters('location')]", + "properties": { + "enabled": true, + "format": { + "type": "JSON", + "version": 2 + }, + "retentionPolicy": { + "days": "[[parameters('retention')]", + "enabled": true + }, + "flowAnalyticsConfiguration": { + "networkWatcherFlowAnalyticsConfiguration": { + "enabled": true, + "trafficAnalyticsInterval": "[[parameters('interval')]", + "workspaceResourceId": "[[parameters('workspace')]" + } + }, + "storageId": "[[concat(subscription().id, '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]", + "targetResourceId": "[[parameters('networkSecurityGroup')]" + }, + "dependsOn": [ + "[[concat('NetworkWatcher_', toLower(parameters('location')))]" + ] + } + ] + } + ] + } + }, + "dependsOn": [ + "[[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]" + ] + } + ], + "outputs": {} + } + } + } + } + } + } + }, + "name": "Deploy-Nsg-FlowLogs-to-LA" + }, + { + "properties": { + "description": "This policy denies the creation of a subsnet with out an Network Security Group. NSG help to protect traffic across subnet-level.", + "displayName": "Subnets should have a Network Security Group ", + "mode": "All", + "parameters": { + "effect": { + "type": "String", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/subnets" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id", + "exists": "false" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-Subnet-Without-Nsg" + }, + { + "properties": { + "displayName": "Subnets should have a User Defined Route", + "policyType": "Custom", + "mode": "All", + "description": "This policy denies the creation of a subnet with out a User Defined Route.", + "metadata": { + "version": "1.1.0", + "category": "Network" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "excludedSubnets": { + "type": "Array", + "metadata": { + "displayName": "Excluded Subnets", + "description": "Array of subnet names that are excluded from this policy" + }, + "defaultValue": [ + "AzureBastionSubnet", + "GatewaySubnet", + "AzureFirewallManagementSubnet" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/subnets" + }, + { + "field": "name", + "notIn": "[[parameters('excludedSubnets')]" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets/routeTable.id", + "exists": "false" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-Subnet-Without-UDR" + }, + { + "properties": { + "description": "This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope.", + "displayName": "Deny vNet peering cross subscription.", + "mode": "Indexed", + "metadata": { + "version": "1.0.0.0", + "category": "Network" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings" + }, + { + "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id", + "notcontains": "[[subscription().id]" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-VNET-Peer-Cross-Sub" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [], + "logs": [ + { + "category": "NetworkSecurityGroupEvent", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "NetworkSecurityGroupRuleCounter", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-NetworkSecurityGroups" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/servers" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforPostgreSQL/servers/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "PostgreSQLLogs", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "QueryStoreRuntimeStatistics", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "QueryStoreWaitStatistics", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-PostgreSQL" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.PowerBIDedicated/capacities" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.PowerBIDedicated/capacities/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Engine", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-PowerBIEmbedded" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Cache/redis" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Cache/redis/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-RedisCache" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for Relay to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Relay/namespaces" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Relay/namespaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "HybridConnectionsEvent", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-Relay" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for SignalR to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.SignalRService/SignalR" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SignalRService/SignalR/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "AllLogs", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-SignalR" + }, + { + "properties": { + "description": "Deploy auditing settings to SQL Database when it not exist in the deployment", + "displayName": "Deploy SQL database auditing settings", + "mode": "Indexed", + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "SQL" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/servers/databases" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/servers/databases/auditingSettings", + "name": "default", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/servers/databases/auditingSettings/state", + "equals": "enabled" + }, + { + "field": "Microsoft.Sql/servers/databases/auditingSettings/isAzureMonitorTargetEnabled", + "equals": "true" + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String" + }, + "sqlServerName": { + "type": "String" + }, + "sqlServerDataBaseName": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "name": "[[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]", + "type": "Microsoft.Sql/servers/databases/auditingSettings", + "apiVersion": "2017-03-01-preview", + "properties": { + "state": "enabled", + "auditActionsAndGroups": [ + "BATCH_COMPLETED_GROUP", + "DATABASE_OBJECT_CHANGE_GROUP", + "SCHEMA_OBJECT_CHANGE_GROUP", + "BACKUP_RESTORE_GROUP", + "APPLICATION_ROLE_CHANGE_PASSWORD_GROUP", + "DATABASE_PRINCIPAL_CHANGE_GROUP", + "DATABASE_PRINCIPAL_IMPERSONATION_GROUP", + "DATABASE_ROLE_MEMBER_CHANGE_GROUP", + "USER_CHANGE_PASSWORD_GROUP", + "DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP", + "DATABASE_OBJECT_PERMISSION_CHANGE_GROUP", + "DATABASE_PERMISSION_CHANGE_GROUP", + "SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP", + "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP", + "FAILED_DATABASE_AUTHENTICATION_GROUP" + ], + "isAzureMonitorTargetEnabled": true + } + } + ], + "outputs": {} + }, + "parameters": { + "location": { + "value": "[[field('location')]" + }, + "sqlServerName": { + "value": "[[first(split(field('fullname'),'/'))]" + }, + "sqlServerDataBaseName": { + "value": "[[field('name')]" + } + } + } + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3" + ] + } + } + } + }, + "name": "Deploy-Sql-AuditingSettings" + }, + { + "properties": { + "description": "Deploy the Transparent Data Encryption when it is not enabled in the deployment", + "displayName": "Deploy SQL Database Transparent Data Encryption ", + "mode": "Indexed", + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "SQL" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/servers/databases" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/servers/databases/transparentDataEncryption", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/transparentDataEncryption.status", + "equals": "Enabled" + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String" + }, + "sqlServerName": { + "type": "String" + }, + "sqlServerDataBaseName": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "name": "[[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/current')]", + "type": "Microsoft.Sql/servers/databases/transparentDataEncryption", + "apiVersion": "2014-04-01", + "properties": { + "status": "Enabled" + } + } + ], + "outputs": {} + }, + "parameters": { + "location": { + "value": "[[field('location')]" + }, + "sqlServerName": { + "value": "[[first(split(field('fullname'),'/'))]" + }, + "sqlServerDataBaseName": { + "value": "[[field('name')]" + } + } + } + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3" + ] + } + } + } + }, + "name": "Deploy-Sql-Tde" + }, + { + "properties": { + "description": "Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration", + "displayName": "Deploy SQL Database security Alert Policies configuration with email admin accounts", + "mode": "Indexed", + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "SQL" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/servers/databases" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/servers/databases/securityAlertPolicies/state", + "equals": "Enabled" + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String" + }, + "sqlServerName": { + "type": "String" + }, + "sqlServerDataBaseName": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "name": "[[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]", + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "apiVersion": "2018-06-01-preview", + "properties": { + "state": "Enabled", + "disabledAlerts": [ + "" + ], + "emailAddresses": [ + "admin@contoso.com" + ], + "emailAccountAdmins": true, + "storageEndpoint": null, + "storageAccountAccessKey": "", + "retentionDays": 0 + } + } + ], + "outputs": {} + }, + "parameters": { + "location": { + "value": "[[field('location')]" + }, + "sqlServerName": { + "value": "[[first(split(field('fullname'),'/'))]" + }, + "sqlServerDataBaseName": { + "value": "[[field('name')]" + } + } + } + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3" + ] + } + } + } + }, + "name": "Deploy-Sql-SecurityAlertPolicies" + }, + { + "properties": { + "description": "Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters", + "displayName": "Deploy SQL Database vulnerability Assessments", + "mode": "Indexed", + "parameters": { + "vulnerabilityAssessmentsEmail": { + "type": "String", + "metadata": { + "description": "The email address to send alerts", + "displayName": "The email address to send alerts" + } + }, + "vulnerabilityAssessmentsStorageID": { + "type": "String", + "metadata": { + "description": "The storage account ID to store assessments", + "displayName": "The storage account ID to store assessments" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "SQL" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/servers/databases" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails", + "equals": "[[parameters('vulnerabilityAssessmentsEmail')]" + }, + { + "field": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.isEnabled", + "equals": true + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "String" + }, + "sqlServerName": { + "type": "String" + }, + "sqlServerDataBaseName": { + "type": "String" + }, + "vulnerabilityAssessmentsEmail": { + "type": "String" + }, + "vulnerabilityAssessmentsStorageID": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "name": "[[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]", + "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments", + "apiVersion": "2017-03-01-preview", + "properties": { + "storageContainerPath": "[[concat('https://', last( split(parameters('vulnerabilityAssessmentsStorageID') , '/') ) , '.blob.core.windows.net/vulneraabilitylogs')]", + "storageAccountAccessKey": "[[listkeys(parameters('vulnerabilityAssessmentsStorageID'), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]", + "recurringScans": { + "isEnabled": true, + "emailSubscriptionAdmins": false, + "emails": [ + "[[parameters('vulnerabilityAssessmentsEmail')]" + ] + } + } + } + ], + "outputs": {} + }, + "parameters": { + "location": { + "value": "[[field('location')]" + }, + "sqlServerName": { + "value": "[[first(split(field('fullname'),'/'))]" + }, + "sqlServerDataBaseName": { + "value": "[[field('name')]" + }, + "vulnerabilityAssessmentsEmail": { + "value": "[[parameters('vulnerabilityAssessmentsEmail')]" + }, + "vulnerabilityAssessmentsStorageID": { + "value": "[[parameters('vulnerabilityAssessmentsStorageID')]" + } + } + } + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", + "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa" + ] + } + } + } + }, + "name": "Deploy-Sql-vulnerabilityAssessments" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/servers/elasticPools" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Sql/servers/elasticPools/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('fullName')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-SQLElasticPools" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/managedInstances" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Sql/managedInstances/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "logs": [ + { + "category": "ResourceUsageStats", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "SQLSecurityAuditEvents", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "DevOpsOperationsAudit", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-SQLMI" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.TimeSeriesInsights/environments" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.TimeSeriesInsights/environments/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Ingress", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "Management", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-TimeSeriesInsights" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/trafficManagerProfiles" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/trafficManagerProfiles/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "ProbeHealthStatusEvents", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-TrafficManager" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachines/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-VM" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "category": "VMProtectionAlerts", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-VirtualNetwork" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Compute/virtualMachineScaleSets" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachineScaleSets/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-VMSS" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled.", + "displayName": "Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/virtualNetworkGateways" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworkGateways/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "GatewayDiagnosticLog", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "IKEDiagnosticLog", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "P2SDiagnosticLog", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "RouteDiagnosticLog", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "RouteDiagnosticLog", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "TunnelDiagnosticLog", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-VNetGW" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for WVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all and categorys enabled.", + "displayName": "Deploy Diagnostic Settings for WVD Host Pools to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/hostpools" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/hostpools/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "logs": [ + { + "category": "Checkpoint", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "Error", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "Management", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "Connection", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "HostRegistration", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "AgentHealthStatus", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-WVDHostPools" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for WVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all and categorys enabled.", + "displayName": "Deploy Diagnostic Settings for WVD Workspace to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/workspaces" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/workspaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "logs": [ + { + "category": "Checkpoint", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "Error", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "Management", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "Feed", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-WVDWorkspace" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for WVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all and categorys enabled.", + "displayName": "Deploy Diagnostic Settings for WVD Application group to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/applicationGroups" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/applicationGroups/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "logs": [ + { + "category": "Checkpoint", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "Error", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "Management", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-WVDAppGroup" + }, + { + "properties": { + "description": "Deploy Windows Domain Join Extension with keyvault configuration when the extension does not exist on a given windows Virtual Machine", + "displayName": "Deploy Windows Domain Join Extension with keyvault configuration", + "mode": "Indexed", + "parameters": { + "domainUsername": { + "type": "String", + "metadata": { + "displayName": "domainUsername" + } + }, + "domainPassword": { + "type": "String", + "metadata": { + "displayName": "domainPassword" + } + }, + "domainFQDN": { + "type": "String", + "metadata": { + "displayName": "domainFQDN" + } + }, + "domainOUPath": { + "type": "String", + "metadata": { + "displayName": "domainOUPath" + } + }, + "keyVaultResourceId": { + "type": "String", + "metadata": { + "displayName": "keyVaultResourceId" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Guest Configuration" + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "WindowsServer" + }, + { + "field": "Microsoft.Compute/imageSKU", + "in": [ + "2008-R2-SP1", + "2008-R2-SP1-smalldisk", + "2008-R2-SP1-zhcn", + "2012-Datacenter", + "2012-datacenter-gensecond", + "2012-Datacenter-smalldisk", + "2012-datacenter-smalldisk-g2", + "2012-Datacenter-zhcn", + "2012-datacenter-zhcn-g2", + "2012-R2-Datacenter", + "2012-r2-datacenter-gensecond", + "2012-R2-Datacenter-smalldisk", + "2012-r2-datacenter-smalldisk-g2", + "2012-R2-Datacenter-zhcn", + "2012-r2-datacenter-zhcn-g2", + "2016-Datacenter", + "2016-datacenter-gensecond", + "2016-datacenter-gs", + "2016-Datacenter-Server-Core", + "2016-datacenter-server-core-g2", + "2016-Datacenter-Server-Core-smalldisk", + "2016-datacenter-server-core-smalldisk-g2", + "2016-Datacenter-smalldisk", + "2016-datacenter-smalldisk-g2", + "2016-Datacenter-with-Containers", + "2016-datacenter-with-containers-g2", + "2016-Datacenter-with-RDSH", + "2016-Datacenter-zhcn", + "2016-datacenter-zhcn-g2", + "2019-Datacenter", + "2019-Datacenter-Core", + "2019-datacenter-core-g2", + "2019-Datacenter-Core-smalldisk", + "2019-datacenter-core-smalldisk-g2", + "2019-Datacenter-Core-with-Containers", + "2019-datacenter-core-with-containers-g2", + "2019-Datacenter-Core-with-Containers-smalldisk", + "2019-datacenter-core-with-containers-smalldisk-g2", + "2019-datacenter-gensecond", + "2019-datacenter-gs", + "2019-Datacenter-smalldisk", + "2019-datacenter-smalldisk-g2", + "2019-Datacenter-with-Containers", + "2019-datacenter-with-containers-g2", + "2019-Datacenter-with-Containers-smalldisk", + "2019-datacenter-with-containers-smalldisk-g2", + "2019-Datacenter-zhcn", + "2019-datacenter-zhcn-g2", + "Datacenter-Core-1803-with-Containers-smalldisk", + "datacenter-core-1803-with-containers-smalldisk-g2", + "Datacenter-Core-1809-with-Containers-smalldisk", + "datacenter-core-1809-with-containers-smalldisk-g2", + "Datacenter-Core-1903-with-Containers-smalldisk", + "datacenter-core-1903-with-containers-smalldisk-g2", + "datacenter-core-1909-with-containers-smalldisk", + "datacenter-core-1909-with-containers-smalldisk-g1", + "datacenter-core-1909-with-containers-smalldisk-g2" + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachines/extensions", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Compute/virtualMachines/extensions/type", + "equals": "JsonADDomainExtension" + }, + { + "field": "Microsoft.Compute/virtualMachines/extensions/publisher", + "equals": "Microsoft.Compute" + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "parameters": { + "vmName": { + "value": "[[field('name')]" + }, + "location": { + "value": "[[field('location')]" + }, + "domainUsername": { + "reference": { + "keyVault": { + "id": "[[parameters('keyVaultResourceId')]" + }, + "secretName": "[[parameters('domainUsername')]" + } + }, + "domainPassword": { + "reference": { + "keyVault": { + "id": "[[parameters('keyVaultResourceId')]" + }, + "secretName": "[[parameters('domainPassword')]" + } + }, + "domainOUPath": { + "value": "[[parameters('domainOUPath')]" + }, + "domainFQDN": { + "value": "[[parameters('domainFQDN')]" + }, + "keyVaultResourceId": { + "value": "[[parameters('keyVaultResourceId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmName": { + "type": "String" + }, + "location": { + "type": "String" + }, + "domainUsername": { + "type": "String" + }, + "domainPassword": { + "type": "securestring" + }, + "domainFQDN": { + "type": "String" + }, + "domainOUPath": { + "type": "String" + }, + "keyVaultResourceId": { + "type": "String" + } + }, + "variables": { + "domainJoinOptions": 3, + "vmName": "[[parameters('vmName')]" + }, + "resources": [ + { + "apiVersion": "2015-06-15", + "type": "Microsoft.Compute/virtualMachines/extensions", + "name": "[[concat(variables('vmName'),'/joindomain')]", + "location": "[[resourceGroup().location]", + "properties": { + "publisher": "Microsoft.Compute", + "type": "JsonADDomainExtension", + "typeHandlerVersion": "1.3", + "autoUpgradeMinorVersion": true, + "settings": { + "Name": "[[parameters('domainFQDN')]", + "User": "[[parameters('domainUserName')]", + "Restart": "true", + "Options": "[[variables('domainJoinOptions')]", + "OUPath": "[[parameters('domainOUPath')]" + }, + "protectedSettings": { + "Password": "[[parameters('domainPassword')]" + } + } + } + ], + "outputs": {} + } + } + } + } + } + } + }, + "name": "Deploy-Windows-DomainJoin" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.HealthcareApis/services" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.HealthcareApis/services/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "AuditLogs", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-ApiForFHIR" + }, + { + "properties": { + "displayName": "AppService append enable https only setting to enforce https setting.", + "mode": "All", + "description": "Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.", + "metadata": { + "version": "1.0.0", + "category": "App Service" + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "Microsoft.Web/sites/httpsOnly", + "notequals": true + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": [ + { + "field": "Microsoft.Web/sites/httpsOnly", + "value": true + } + ] + } + } + }, + "name": "Append-AppService-httpsonly" + }, + { + "properties": { + "displayName": "AppService append sites with minimum TLS version to enforce.", + "mode": "All", + "description": "Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny.", + "metadata": { + "version": "1.0.0", + "category": "App Service" + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "minTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Select version minimum TLS Web App config", + "description": "Select version minimum TLS version for a Web App config to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites/config" + }, + { + "field": "Microsoft.Web/sites/config/minTlsVersion", + "notEquals": "[[parameters('minTlsVersion')]" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": [ + { + "field": "Microsoft.Web/sites/config/minTlsVersion", + "value": "[[parameters('minTlsVersion')]" + } + ] + } + } + }, + "name": "Append-AppService-latestTLS" + }, + { + "properties": { + "displayName": "API App should only be accessible over HTTPS", + "mode": "Indexed", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "metadata": { + "version": "1.0.0", + "category": "App Service" + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "kind", + "like": "*api" + }, + { + "field": "Microsoft.Web/sites/httpsOnly", + "equals": "false" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-AppServiceApiApp-http" + }, + { + "properties": { + "displayName": "Function App should only be accessible over HTTPS", + "mode": "Indexed", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "metadata": { + "version": "1.0.0", + "category": "App Service" + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "kind", + "like": "functionapp*" + }, + { + "field": "Microsoft.Web/sites/httpsOnly", + "equals": "false" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-AppServiceFunctionApp-http" + }, + { + "properties": { + "displayName": "Web Application should only be accessible over HTTPS", + "mode": "Indexed", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", + "metadata": { + "version": "1.0.0", + "category": "App Service" + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "kind", + "like": "app*" + }, + { + "field": "Microsoft.Web/sites/httpsOnly", + "equals": "false" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-AppServiceWebApp-http" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Kusto/Clusters" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Kusto/Clusters/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "SucceededIngestion", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "FailedIngestion", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "IngestionBatching", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "Command", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "Query", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "TableUsageStatistics", + "enabled": "[[parameters('logsEnabled')]" + }, + { + "category": "TableDetails", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-DataExplorerCluster" + }, + { + "properties": { + "description": "Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled", + "displayName": "Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace", + "mode": "Indexed", + "parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "metricsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + } + }, + "logsEnabled": { + "type": "String", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Media/mediaServices" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "logAnalytics": { + "type": "String" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Media/mediaServices/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "KeyDeliveryRequests", + "enabled": "[[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[[parameters('logsEnabled')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Diagnostics-MediaService" + }, + { + "properties": { + "displayName": "MySQL database servers enforce SSL connections.", + "mode": "Indexed", + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "SQL" + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "Select version minimum TLS for MySQL server", + "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforMySQL/servers" + }, + { + "anyOf": [ + { + "field": "Microsoft.DBforMySQL/servers/sslEnforcement", + "exists": "false" + }, + { + "field": "Microsoft.DBforMySQL/servers/sslEnforcement", + "notEquals": "Enabled" + }, + { + "field": "Microsoft.DBforMySQL/servers/minimalTlsVersion", + "notequals": "[[parameters('minimalTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-MySql-http" + }, + { + "properties": { + "displayName": "Azure Database for MySQL server deploy a specific min TLS version and enforce SSL.", + "mode": "Indexed", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "SQL" + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect minimum TLS version Azure Database for MySQL server", + "description": "Enable or disable the execution of the policy minimum TLS version Azure Database for MySQL server" + } + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "Select version minimum TLS for MySQL server", + "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforMySQL/servers" + }, + { + "anyOf": [ + { + "field": "Microsoft.DBforMySQL/servers/sslEnforcement", + "notEquals": "Enabled" + }, + { + "field": "Microsoft.DBforMySQL/servers/minimalTlsVersion", + "notequals": "[[parameters('minimalTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.DBforMySQL/servers", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.DBforMySQL/servers/sslEnforcement", + "equals": "Enabled" + }, + { + "field": "Microsoft.DBforMySQL/servers/minimalTlsVersion", + "equals": "[[parameters('minimalTlsVersion')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "minimalTlsVersion": { + "type": "String" + }, + "location": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforMySQL/servers", + "apiVersion": "2017-12-01", + "name": "[[concat(parameters('resourceName'))]", + "location": "[[parameters('location')]", + "properties": { + "sslEnforcement": "[[if(equals(parameters('minimalTlsVersion'), 'TLSEnforcementDisabled'),'Disabled', 'Enabled')]", + "minimalTlsVersion": "[[parameters('minimalTlsVersion')]" + } + } + ], + "outputs": {} + }, + "parameters": { + "resourceName": { + "value": "[[field('name')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('minimalTlsVersion')]" + }, + "location": { + "value": "[[field('location')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-MySQL-sslEnforcement" + }, + { + "properties": { + "description": "Deploys NSG flow logs and traffic analytics to a storageaccountid with a specfied retention period.", + "displayName": "Deploys NSG flow logs and traffic analytics", + "mode": "Indexed", + "parameters": { + "retention": { + "type": "Integer", + "metadata": { + "displayName": "Retention" + }, + "defaultValue": 5 + }, + "storageAccountResourceId": { + "type": "String", + "metadata": { + "displayName": "Storage Account Resource Id", + "strongType": "Microsoft.Storage/storageAccounts" + } + }, + "trafficAnalyticsInterval": { + "type": "Integer", + "metadata": { + "displayName": "Traffic Analytics processing interval mins (10/60)" + }, + "defaultValue": 60 + }, + "flowAnalyticsEnabled": { + "type": "Boolean", + "metadata": { + "displayName": "Enable Traffic Analytics" + }, + "defaultValue": false + }, + "logAnalytics": { + "type": "String", + "metadata": { + "strongType": "omsWorkspace", + "displayName": "Resource ID of Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID." + }, + "defaultValue": "" + }, + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups" + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Network/networkWatchers/flowLogs", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "resourceGroupName": "NetworkWatcherRG", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Network/networkWatchers/flowLogs/enabled", + "equals": "true" + }, + { + "field": "Microsoft.Network/networkWatchers/flowLogs/flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled", + "equals": "[[parameters('flowAnalyticsEnabled')]" + } + ] + }, + "deployment": { + "properties": { + "mode": "Incremental", + "parameters": { + "networkSecurityGroupName": { + "value": "[[field('name')]" + }, + "resourceGroupName": { + "value": "[[resourceGroup().name]" + }, + "location": { + "value": "[[field('location')]" + }, + "storageAccountResourceId": { + "value": "[[parameters('storageAccountResourceId')]" + }, + "retention": { + "value": "[[parameters('retention')]" + }, + "flowAnalyticsEnabled": { + "value": "[[parameters('flowAnalyticsEnabled')]" + }, + "trafficAnalyticsInterval": { + "value": "[[parameters('trafficAnalyticsInterval')]" + }, + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "networkSecurityGroupName": { + "type": "String" + }, + "resourceGroupName": { + "type": "String" + }, + "location": { + "type": "String" + }, + "storageAccountResourceId": { + "type": "String" + }, + "retention": { + "type": "int" + }, + "flowAnalyticsEnabled": { + "type": "bool" + }, + "trafficAnalyticsInterval": { + "type": "int" + }, + "logAnalytics": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/networkWatchers/flowLogs", + "apiVersion": "2020-05-01", + "name": "[[take(concat('NetworkWatcher_', toLower(parameters('location')), '/', parameters('networkSecurityGroupName'), '-', parameters('resourceGroupName'), '-flowlog' ), 80)]", + "location": "[[parameters('location')]", + "properties": { + "targetResourceId": "[[resourceId(parameters('resourceGroupName'), 'Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]", + "storageId": "[[parameters('storageAccountResourceId')]", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[[parameters('retention')]" + }, + "format": { + "type": "JSON", + "version": 2 + }, + "flowAnalyticsConfiguration": { + "networkWatcherFlowAnalyticsConfiguration": { + "enabled": "[[bool(parameters('flowAnalyticsEnabled'))]", + "trafficAnalyticsInterval": "[[parameters('trafficAnalyticsInterval')]", + "workspaceId": "[[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').properties.customerId, json('null')) ]", + "workspaceRegion": "[[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').location, json('null')) ]", + "workspaceResourceId": "[[if(not(empty(parameters('logAnalytics'))), parameters('logAnalytics'), json('null'))]" + } + } + } + } + ], + "outputs": {} + } + } + } + } + } + } + }, + "name": "Deploy-Nsg-FlowLogs" + }, + { + "properties": { + "displayName": "PostgreSQL database servers enforce SSL connection.", + "mode": "Indexed", + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.1", + "category": "SQL" + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "Select version minimum TLS for MySQL server", + "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/servers" + }, + { + "anyOf": [ + { + "field": "Microsoft.DBforPostgreSQL/servers/sslEnforcement", + "exists": "false" + }, + { + "field": "Microsoft.DBforPostgreSQL/servers/sslEnforcement", + "notEquals": "Enabled" + }, + { + "field": "Microsoft.DBforPostgreSQL/servers/minimalTlsVersion", + "notequals": "[[parameters('minimalTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-PostgreSql-http" + }, + { + "properties": { + "displayName": "Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL ", + "mode": "Indexed", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "SQL" + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect Azure Database for PostgreSQL server", + "description": "Enable or disable the execution of the policy minimum TLS version Azure Database for PostgreSQL server" + } + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "Select version for PostgreSQL server", + "description": "Select version minimum TLS version Azure Database for PostgreSQL server to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/servers" + }, + { + "anyOf": [ + { + "field": "Microsoft.DBforPostgreSQL/servers/sslEnforcement", + "notEquals": "Enabled" + }, + { + "field": "Microsoft.DBforPostgreSQL/servers/minimalTlsVersion", + "notEquals": "[[parameters('minimalTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.DBforPostgreSQL/servers", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.DBforPostgreSQL/servers/sslEnforcement", + "equals": "Enabled" + }, + { + "field": "Microsoft.DBforPostgreSQL/servers/minimalTlsVersion", + "equals": "[[parameters('minimalTlsVersion')]" + } + ] + }, + "name": "current", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "minimalTlsVersion": { + "type": "String" + }, + "location": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforPostgreSQL/servers", + "apiVersion": "2017-12-01", + "name": "[[concat(parameters('resourceName'))]", + "location": "[[parameters('location')]", + "properties": { + "sslEnforcement": "[[if(equals(parameters('minimalTlsVersion'), 'TLSEnforcementDisabled'),'Disabled', 'Enabled')]", + "minimalTlsVersion": "[[parameters('minimalTlsVersion')]" + } + } + ], + "outputs": {} + }, + "parameters": { + "resourceName": { + "value": "[[field('name')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('minimalTlsVersion')]" + }, + "location": { + "value": "[[field('location')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-PostgreSQL-sslEnforcement" + }, + { + "properties": { + "displayName": "Azure Cache for Redis only secure connections should be enabled", + "mode": "Indexed", + "description": "Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", + "metadata": { + "version": "1.0.0", + "category": "Cache" + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + } + }, + "minimumTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.1", + "1.0" + ], + "metadata": { + "displayName": "Select minumum TLS version for Azure Cache for Redis.", + "description": "Select minimum TLS version for Azure Cache for Redis." + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Cache/redis" + }, + { + "anyOf": [ + { + "field": "Microsoft.Cache/Redis/enableNonSslPort", + "equals": "true" + }, + { + "field": "Microsoft.Cache/Redis/minimumTlsVersion", + "notequals": "[[parameters('minimumTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-Redis-http" + }, + { + "properties": { + "displayName": "Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled.", + "mode": "Indexed", + "description": "Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "Cache" + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled", + "Modify" + ], + "metadata": { + "displayName": "Effect Azure Cache for Redis", + "description": "Enable or disable the execution of the policy minimum TLS version Azure Cache for Redis" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Cache/redis" + }, + { + "anyOf": [ + { + "field": "Microsoft.Cache/Redis/enableNonSslPort", + "equals": "true" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": [ + { + "field": "Microsoft.Cache/Redis/enableNonSslPort", + "value": false + } + ] + } + } + }, + "name": "Append-Redis-disableNonSslPort" + }, + { + "properties": { + "displayName": "Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS.", + "mode": "Indexed", + "description": "Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "Cache" + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "Effect Azure Cache for Redis", + "description": "Enable or disable the execution of the policy minimum TLS version Azure Cache for Redis" + } + }, + "minimumTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.1", + "1.0" + ], + "metadata": { + "displayName": "Select version for Redis server", + "description": "Select version minimum TLS version Azure Cache for Redis to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Cache/redis" + }, + { + "anyOf": [ + { + "field": "Microsoft.Cache/Redis/minimumTlsVersion", + "notequals": "[[parameters('minimumTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": [ + { + "field": "Microsoft.Cache/Redis/minimumTlsVersion", + "value": "[[parameters('minimumTlsVersion')]" + } + ] + } + } + }, + "name": "Append-Redis-sslEnforcement" + }, + { + "properties": { + "displayName": "SQL Managed Instance should have the minimal TLS version set to the highest version", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.", + "mode": "Indexed", + "metadata": { + "version": "1.0.0", + "category": "SQL" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Audit" + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.1", + "1.0" + ], + "metadata": { + "displayName": "Select version for SQL server", + "description": "Select version minimum TLS version SQL servers to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Sql/managedInstances" + }, + { + "anyOf": [ + { + "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", + "exists": "false" + }, + { + "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", + "notequals": "[[parameters('minimalTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-SqlMi-minTLS" + }, + { + "properties": { + "displayName": "SQL managed instances deploy a specific min TLS version requirement.", + "mode": "Indexed", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "SQL" + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect SQL servers", + "description": "Enable or disable the execution of the policy minimum TLS version SQL servers" + } + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.1", + "1.0" + ], + "metadata": { + "displayName": "Select version for SQL server", + "description": "Select version minimum TLS version SQL servers to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Sql/managedInstances" + }, + { + "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", + "notequals": "[[parameters('minimalTlsVersion')]" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/managedInstances", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", + "equals": "[[parameters('minimalTlsVersion')]" + } + ] + }, + "name": "current", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "minimalTlsVersion": { + "type": "String" + }, + "location": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Sql/managedInstances", + "apiVersion": "2020-02-02-preview", + "name": "[[concat(parameters('resourceName'))]", + "location": "[[parameters('location')]", + "properties": { + "minimalTlsVersion": "[[parameters('minimalTlsVersion')]" + } + } + ], + "outputs": {} + }, + "parameters": { + "resourceName": { + "value": "[[field('name')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('minimalTlsVersion')]" + }, + "location": { + "value": "[[field('location')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-SqlMi-minTLS" + }, + { + "properties": { + "displayName": "Azure SQL Database should have the minimal TLS version set to the highest version", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.", + "mode": "Indexed", + "metadata": { + "version": "1.0.0", + "category": "SQL" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Audit" + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.1", + "1.0" + ], + "metadata": { + "displayName": "Select version for SQL server", + "description": "Select version minimum TLS version SQL servers to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Sql/servers" + }, + { + "anyOf": [ + { + "field": "Microsoft.Sql/servers/minimalTlsVersion", + "exists": "false" + }, + { + "field": "Microsoft.Sql/servers/minimalTlsVersion", + "notequals": "[[parameters('minimalTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-Sql-minTLS" + }, + { + "properties": { + "displayName": "SQL servers deploys a specific min TLS version requirement.", + "mode": "Indexed", + "description": "Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "SQL" + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect SQL servers", + "description": "Enable or disable the execution of the policy minimum TLS version SQL servers" + } + }, + "minimalTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.1", + "1.0" + ], + "metadata": { + "displayName": "Select version for SQL server", + "description": "Select version minimum TLS version SQL servers to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Sql/servers" + }, + { + "field": "Microsoft.Sql/servers/minimalTlsVersion", + "notequals": "[[parameters('minimalTlsVersion')]" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.Sql/servers", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/servers/minimalTlsVersion", + "equals": "[[parameters('minimalTlsVersion')]" + } + ] + }, + "name": "current", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "minimalTlsVersion": { + "type": "String" + }, + "location": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Sql/servers", + "apiVersion": "2019-06-01-preview", + "name": "[[concat(parameters('resourceName'))]", + "location": "[[parameters('location')]", + "properties": { + "minimalTlsVersion": "[[parameters('minimalTlsVersion')]" + } + } + ], + "outputs": {} + }, + "parameters": { + "resourceName": { + "value": "[[field('name')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('minimalTlsVersion')]" + }, + "location": { + "value": "[[field('location')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-SQL-minTLS" + }, + { + "properties": { + "displayName": "Storage Account set to minumum TLS and Secure transfer should be enabled", + "mode": "Indexed", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", + "metadata": { + "version": "1.0.0", + "category": "Storage" + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match" + } + }, + "minimumTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_1", + "TLS1_0" + ], + "metadata": { + "displayName": "Storage Account select minimum TLS version", + "description": "Select version minimum TLS version on Azure Storage Account to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "anyOf": [ + { + "allOf": [ + { + "value": "[[requestContext().apiVersion]", + "less": "2019-04-01" + }, + { + "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly", + "exists": "false" + } + ] + }, + { + "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly", + "equals": "false" + }, + { + "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion", + "notequals": "[[parameters('minimumTlsVersion')]" + }, + { + "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion", + "exists": "false" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-Storage-minTLS" + }, + { + "properties": { + "displayName": "Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS ", + "mode": "Indexed", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure STorage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", + "metadata": { + "version": "1.0.0", + "category": "Storage" + }, + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect Azure STorage", + "description": "Enable or disable the execution of the policy minimum TLS version Azure STorage" + } + }, + "minimumTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_1", + "TLS1_0" + ], + "metadata": { + "displayName": "Select version for PostgreSQL server", + "description": "Select version minimum TLS version Azure STorage to enforce" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly", + "notEquals": "true" + }, + { + "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion", + "notEquals": "[[parameters('minimumTlsVersion')]" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]", + "details": { + "type": "Microsoft.DBforPostgreSQL/servers", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly", + "equals": "true" + }, + { + "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion", + "equals": "[[parameters('minimumTlsVersion')]" + }, + { + "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly", + "equals": "false" + } + ] + }, + "name": "current", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "minimumTlsVersion": { + "type": "String" + }, + "location": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[[concat(parameters('resourceName'))]", + "location": "[[parameters('location')]", + "properties": { + "supportsHttpsTrafficOnly": true, + "minimumTlsVersion": "[[parameters('minimumTlsVersion')]" + } + } + ], + "outputs": {} + }, + "parameters": { + "resourceName": { + "value": "[[field('name')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('minimumTlsVersion')]" + }, + "location": { + "value": "[[field('location')]" + } + } + } + } + } + } + } + }, + "name": "Deploy-Storage-sslEnforcement" + }, + { + "properties": { + "displayName": "Audit-MachineLearning-PrivateEndpointId", + "mode": "Indexed", + "description": "Audit public endpoints that are created in other subscriptions for machine learning.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces" + }, + { + "count": { + "field": "Microsoft.MachineLearningServices/workspaces/privateEndpointConnections[*]", + "where": { + "field": "Microsoft.MachineLearningServices/workspaces/privateEndpointConnections[*].privateEndpoint.id", + "notContains": "[[subscription().id]" + } + }, + "greaterOrEquals": 1 + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Audit-MachineLearning-PrivateEndpointId" + }, + { + "properties": { + "displayName": "Deny-MachineLearning-HbiWorkspace", + "mode": "Indexed", + "description": "Enforce high business impact machine learning workspaces across the environment.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/hbiWorkspace", + "exists": false + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/hbiWorkspace", + "notEquals": true + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-MachineLearning-HbiWorkspace" + }, + { + "properties": { + "displayName": "Deny-MachineLearning-PublicAccessWhenBehindVnet", + "mode": "Indexed", + "description": "Deny public access behind vnet for machine learning workspaces.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet", + "exists": false + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet", + "notEquals": false + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-MachineLearning-PublicAccessWhenBehindVnet" + }, + { + "properties": { + "displayName": "Deny-MachineLearning-Aks", + "mode": "Indexed", + "description": "Deny AKS cluster creation in machine learning and enforce connecting to existing clusters.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/computes" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", + "equals": "AKS" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/resourceId", + "exists": false + }, + { + "value": "[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]", + "equals": true + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-MachineLearning-Aks" + }, + { + "properties": { + "displayName": "Deny-MachineLearning-Compute-SubnetId", + "mode": "Indexed", + "description": "Enforce subnet connectivity for machine learning compute clusters and instances.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/computes" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", + "in": [ + "AmlCompute", + "ComputeInstance" + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/subnet.id", + "exists": false + }, + { + "value": "[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]", + "equals": true + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-MachineLearning-Compute-SubnetId" + }, + { + "properties": { + "displayName": "Deny-MachineLearning-Compute-VmSize", + "mode": "Indexed", + "description": "Limit allowed vm sizes for machine learning compute clusters and instances.", + "metadata": { + "version": "1.0.0", + "category": "Budget" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + }, + "allowedVmSizes": { + "type": "Array", + "metadata": { + "displayName": "Allowed VM Sizes for Aml Compute Clusters and Instances", + "description": "Specifies the allowed VM Sizes for Aml Compute Clusters and Instances" + }, + "defaultValue": [ + "Standard_D1_v2", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_DS1_v2", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_M8-2ms", + "Standard_M8-4ms", + "Standard_M8ms", + "Standard_M16-4ms", + "Standard_M16-8ms", + "Standard_M16ms", + "Standard_M32-8ms", + "Standard_M32-16ms", + "Standard_M32ls", + "Standard_M32ms", + "Standard_M32ts", + "Standard_M64-16ms", + "Standard_M64-32ms", + "Standard_M64ls", + "Standard_M64ms", + "Standard_M64s", + "Standard_M128-32ms", + "Standard_M128-64ms", + "Standard_M128ms", + "Standard_M128s", + "Standard_M64", + "Standard_M64m", + "Standard_M128", + "Standard_M128m", + "Standard_D1", + "Standard_D2", + "Standard_D3", + "Standard_D4", + "Standard_D11", + "Standard_D12", + "Standard_D13", + "Standard_D14", + "Standard_DS15_v2", + "Standard_NV6", + "Standard_NV12", + "Standard_NV24", + "Standard_F2s_v2", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_F72s_v2", + "Standard_NC6s_v3", + "Standard_NC12s_v3", + "Standard_NC24rs_v3", + "Standard_NC24s_v3", + "Standard_NC6", + "Standard_NC12", + "Standard_NC24", + "Standard_NC24r", + "Standard_ND6s", + "Standard_ND12s", + "Standard_ND24rs", + "Standard_ND24s", + "Standard_NC6s_v2", + "Standard_NC12s_v2", + "Standard_NC24rs_v2", + "Standard_NC24s_v2", + "Standard_ND40rs_v2", + "Standard_NV12s_v3", + "Standard_NV24s_v3", + "Standard_NV48s_v3" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/computes" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", + "in": [ + "AmlCompute", + "ComputeInstance" + ] + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/vmSize", + "notIn": "[[parameters('allowedVmSizes')]" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-MachineLearning-Compute-VmSize" + }, + { + "properties": { + "displayName": "Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess", + "mode": "Indexed", + "description": "Deny public access of clusters via SSH.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/computes" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", + "equals": "AmlCompute" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess", + "exists": false + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess", + "notEquals": "Disabled" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess" + }, + { + "properties": { + "displayName": "Deny-MachineLearning-ComputeCluster-Scale", + "policyType": "Custom", + "mode": "Indexed", + "description": "Enforce scale settings for machine learning compute clusters.", + "metadata": { + "version": "1.0.0", + "category": "Budget" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + }, + "maxNodeCount": { + "type": "Integer", + "metadata": { + "displayName": "Maximum Node Count", + "description": "Specifies the maximum node count of AML Clusters" + }, + "defaultValue": 10 + }, + "minNodeCount": { + "type": "Integer", + "metadata": { + "displayName": "Minimum Node Count", + "description": "Specifies the minimum node count of AML Clusters" + }, + "defaultValue": 0 + }, + "maxNodeIdleTimeInSecondsBeforeScaleDown": { + "type": "Integer", + "metadata": { + "displayName": "Maximum Node Idle Time in Seconds Before Scaledown", + "description": "Specifies the maximum node idle time in seconds before scaledown" + }, + "defaultValue": 900 + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/computes" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", + "equals": "AmlCompute" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount", + "greater": "[[parameters('maxNodeCount')]" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount", + "greater": "[[parameters('minNodeCount')]" + }, + { + "value": "[[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]", + "greater": "[[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-MachineLearning-ComputeCluster-Scale" + } + ] + }, + "initiatives": { + "policySetDefinitions": [ + { + "properties": { + "description": "This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included ", + "displayName": "Deploy Diagnostic Settings to Azure Services", + "parameters": { + "logAnalytics": { + "metadata": { + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "displayName": "Log Analytics workspace", + "strongType": "omsWorkspace" + }, + "type": "String" + }, + "profileName": { + "type": "String", + "defaultValue": "setbypolicy", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "ACILogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Container Instances to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics enabled." + } + }, + "ACRLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Container Registry to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics enabled." + } + }, + "AKSLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled." + } + }, + "AnalysisServiceLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "APIforFHIRLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "APIMgmtLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for API Management to Log Analytics workspace", + "description": "Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "ApplicationGatewayLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "AutomationLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Automation to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "BatchLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Batch to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "CDNEndpointsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace", + "description": "Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "CognitiveServicesLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "CosmosLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "DatabricksLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Databricks to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "DataExplorerClusterLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "DataFactoryLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Data Factory to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "DataLakeStoreLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "DataLakeAnalyticsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "EventGridSubLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "EventGridTopicLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "EventHubLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "EventSystemTopicLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "ExpressRouteLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace", + "description": "Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "FirewallLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Firewall to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "FrontDoorLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Front Door to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "FunctionAppLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "HDInsightLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for HDInsight to Log Analytics workspace", + "description": "Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "IotHubLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace", + "description": "Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "KeyVaultLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Key Vault to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "LoadBalancerLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "LogicAppsISELogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "MariaDBLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for MariaDB to Log Analytics workspace", + "description": "Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "MediaServiceLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "MlWorkspaceLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "MySQLLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "NetworkSecurityGroupsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "NetworkNICLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "PostgreSQLLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "PowerBIEmbeddedLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "NetworkPublicIPNicLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "RedisCacheLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "RelayLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Relay to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "SearchServicesLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Search Services to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "ServiceBusLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace", + "description": "Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "SignalRLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for SignalR to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "SQLDBsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "SQLElasticPoolsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "SQLMLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace", + "description": "Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "StreamAnalyticsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "TimeSeriesInsightsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "TrafficManagerLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "VirtualNetworkLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "VirtualMachinesLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "VMSSLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "VNetGWLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace", + "description": "Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled." + } + }, + "AppServiceLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace", + "description": "Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "AppServiceWebappLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for App Service to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "WVDAppGroupsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for WVD Application Groups to Log Analytics workspace", + "description": "Deploys the diagnostic settings for WVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "WVDWorkspaceLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for WVD Workspace to Log Analytics workspace", + "description": "Deploys the diagnostic settings for WVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "WVDHostPoolsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for WVD Host pools to Log Analytics workspace", + "description": "Deploys the diagnostic settings for WVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + }, + "StorageAccountsLogAnalyticsEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace", + "description": "Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled" + } + } + }, + "policyDefinitionGroups": null, + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "PolicyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474", + "policyDefinitionReferenceId": "StorageAccountDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StorageAccountsLogAnalyticsEffect')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup')]", + "policyDefinitionReferenceId": "WVDAppGroupDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('WVDAppGroupsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace')]", + "policyDefinitionReferenceId": "WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('WVDWorkspaceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools')]", + "policyDefinitionReferenceId": "WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('WVDHostPoolsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI')]", + "policyDefinitionReferenceId": "ACIDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ACILogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR')]", + "policyDefinitionReferenceId": "ACRDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ACRLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8", + "policyDefinitionReferenceId": "AKSDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AKSLogAnalyticsEffect')]" + }, + "diagnosticsSettingNameToUse": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService')]", + "policyDefinitionReferenceId": "AnalysisServiceDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AnalysisServiceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR')]", + "policyDefinitionReferenceId": "APIforFHIRDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('APIforFHIRLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt')]", + "policyDefinitionReferenceId": "APIMgmtDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('APIMgmtLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway')]", + "policyDefinitionReferenceId": "ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ApplicationGatewayLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA')]", + "policyDefinitionReferenceId": "AutomationDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AutomationLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5", + "policyDefinitionReferenceId": "BatchDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('BatchLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints')]", + "policyDefinitionReferenceId": "CDNEndpointsDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('CDNEndpointsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices')]", + "policyDefinitionReferenceId": "CognitiveServicesDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('CognitiveServicesLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB')]", + "policyDefinitionReferenceId": "CosmosDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('CosmosLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks')]", + "policyDefinitionReferenceId": "DatabricksDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DatabricksLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster')]", + "policyDefinitionReferenceId": "DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataExplorerClusterLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory')]", + "policyDefinitionReferenceId": "DataFactoryDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataFactoryLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03", + "policyDefinitionReferenceId": "DataLakeStoreDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataLakeStoreLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics')]", + "policyDefinitionReferenceId": "DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub')]", + "policyDefinitionReferenceId": "EventGridSubDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventGridSubLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic')]", + "policyDefinitionReferenceId": "EventGridTopicDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventGridTopicLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579", + "policyDefinitionReferenceId": "EventHubDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventHubLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic')]", + "policyDefinitionReferenceId": "EventSystemTopicDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('EventSystemTopicLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute')]", + "policyDefinitionReferenceId": "ExpressRouteDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ExpressRouteLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall')]", + "policyDefinitionReferenceId": "FirewallDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('FirewallLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor')]", + "policyDefinitionReferenceId": "FrontDoorDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('FrontDoorLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function')]", + "policyDefinitionReferenceId": "FunctionAppDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('FunctionAppLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight')]", + "policyDefinitionReferenceId": "HDInsightDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('HDInsightLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub')]", + "policyDefinitionReferenceId": "IotHubDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('IotHubLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47", + "policyDefinitionReferenceId": "KeyVaultDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('KeyVaultLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer')]", + "policyDefinitionReferenceId": "LoadBalancerDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('LoadBalancerLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE')]", + "policyDefinitionReferenceId": "LogicAppsISEDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('LogicAppsISELogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB')]", + "policyDefinitionReferenceId": "MariaDBDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MariaDBLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService')]", + "policyDefinitionReferenceId": "MediaServiceDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MediaServiceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace')]", + "policyDefinitionReferenceId": "MlWorkspaceDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MlWorkspaceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL')]", + "policyDefinitionReferenceId": "MySQLDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('MySQLLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups')]", + "policyDefinitionReferenceId": "NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC')]", + "policyDefinitionReferenceId": "NetworkNICDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('NetworkNICLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL')]", + "policyDefinitionReferenceId": "PostgreSQLDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('PostgreSQLLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded')]", + "policyDefinitionReferenceId": "PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648", + "policyDefinitionReferenceId": "NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "True" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3", + "policyDefinitionReferenceId": "RecoveryVaultDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache')]", + "policyDefinitionReferenceId": "RedisCacheDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('RedisCacheLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay')]", + "policyDefinitionReferenceId": "RelayDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('RelayLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d", + "policyDefinitionReferenceId": "SearchServicesDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SearchServicesLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e", + "policyDefinitionReferenceId": "ServiceBusDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('ServiceBusLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR')]", + "policyDefinitionReferenceId": "SignalRDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SignalRLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84", + "policyDefinitionReferenceId": "SQLDatabaseDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SQLDBsLogAnalyticsEffect')]" + }, + "diagnosticsSettingNameToUse": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools')]", + "policyDefinitionReferenceId": "SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SQLElasticPoolsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI')]", + "policyDefinitionReferenceId": "SQLMDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('SQLMLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673", + "policyDefinitionReferenceId": "StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('StreamAnalyticsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights')]", + "policyDefinitionReferenceId": "TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager')]", + "policyDefinitionReferenceId": "TrafficManagerDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('TrafficManagerLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork')]", + "policyDefinitionReferenceId": "VirtualNetworkDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VirtualNetworkLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM')]", + "policyDefinitionReferenceId": "VirtualMachinesDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VirtualMachinesLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS')]", + "policyDefinitionReferenceId": "VMSSDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VMSSLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW')]", + "policyDefinitionReferenceId": "VNetGWDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('VNetGWLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm')]", + "policyDefinitionReferenceId": "AppServiceDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AppServiceLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website')]", + "policyDefinitionReferenceId": "AppServiceWebappDeployDiagnosticLogDeployLogAnalytics", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "effect": { + "value": "[[parameters('AppServiceWebappLogAnalyticsEffect')]" + }, + "profileName": { + "value": "[[parameters('profileName')]" + } + } + } + ] + }, + "name": "Deploy-Diagnostics-LogAnalytics" + }, + { + "properties": { + "description": "Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment", + "displayName": "Deploy SQL Database built-in SQL security configuration", + "parameters": { + "vulnerabilityAssessmentsEmail": { + "metadata": { + "description": "The email address to send alerts", + "displayName": "The email address to send alerts" + }, + "type": "String" + }, + "vulnerabilityAssessmentsStorageID": { + "metadata": { + "description": "The storage account ID to store assessments", + "displayName": "The storage account ID to store assessments" + }, + "type": "String" + }, + "SqlDbTdeDeploySqlSecurityEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy SQL Database Transparent Data Encryption ", + "description": "Deploy the Transparent Data Encryption when it is not enabled in the deployment" + } + }, + "SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy SQL Database security Alert Policies configuration with email admin accounts", + "description": "Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration" + } + }, + "SqlDbAuditingSettingsDeploySqlSecurityEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy SQL database auditing settings", + "description": "Deploy auditing settings to SQL Database when it not exist in the deployment" + } + }, + "SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Deploy SQL Database vulnerability Assessments", + "description": "Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters" + } + } + }, + "policyDefinitionGroups": null, + "metadata": { + "version": "1.0.0", + "category": "SQL" + }, + "PolicyDefinitions": [ + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde')]", + "policyDefinitionReferenceId": "SqlDbTdeDeploySqlSecurity", + "parameters": { + "effect": { + "value": "[[parameters('SqlDbTdeDeploySqlSecurityEffect')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies')]", + "policyDefinitionReferenceId": "SqlDbSecurityAlertPoliciesDeploySqlSecurity", + "parameters": { + "effect": { + "value": "[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings')]", + "policyDefinitionReferenceId": "SqlDbAuditingSettingsDeploySqlSecurity", + "parameters": { + "effect": { + "value": "[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments')]", + "policyDefinitionReferenceId": "SqlDbVulnerabilityAssessmentsDeploySqlSecurity", + "parameters": { + "effect": { + "value": "[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]" + }, + "vulnerabilityAssessmentsEmail": { + "value": "[[parameters('vulnerabilityAssessmentsEmail')]" + }, + "vulnerabilityAssessmentsStorageID": { + "value": "[[parameters('vulnerabilityAssessmentsStorageID')]" + } + } + } + ] + }, + "name": "Deploy-Sql-Security" + }, + { + "properties": { + "description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", + "displayName": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", + "parameters": { + "ACRCmkEffect": { + "metadata": { + "displayName": "Container registries should be encrypted with a customer-managed key (CMK)", + "description": "Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "AksCmkEffect": { + "metadata": { + "displayName": "Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys", + "description": "Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "WorkspaceCMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)", + "description": "Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk." + } + }, + "CognitiveServicesCMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)", + "description": "Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk." + } + }, + "CosmosCMKEffect": { + "type": "String", + "defaultValue": "audit", + "allowedValues": [ + "audit", + "deny", + "disabled" + ], + "metadata": { + "displayName": "Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest", + "description": "Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk." + } + }, + "DataBoxCMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password", + "description": "Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key." + } + }, + "StreamAnalyticsCMKEffect": { + "type": "String", + "defaultValue": "audit", + "allowedValues": [ + "audit", + "deny", + "disabled" + ], + "metadata": { + "displayName": "Azure Stream Analytics jobs should use customer-managed keys to encrypt data", + "description": "Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted." + } + }, + "SynapseWorkspaceCMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Azure Synapse workspaces should use customer-managed keys to encrypt data at rest", + "description": "Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys." + } + }, + "StorageCMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ], + "metadata": { + "displayName": "Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption", + "description": "Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data." + } + }, + "MySQLCMKEffect": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure MySQL servers bring your own key data protection should be enabled", + "description": "Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management." + } + }, + "PostgreSQLCMKEffect": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure PostgreSQL servers bring your own key data protection should be enabled", + "description": "Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management." + } + }, + "SqlServerTDECMKEffect": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "SQL servers should use customer-managed keys to encrypt data at rest", + "description": "Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement." + } + }, + "HealthcareAPIsCMKEffect": { + "type": "String", + "defaultValue": "audit", + "allowedValues": [ + "audit", + "disabled" + ], + "metadata": { + "displayName": "Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest", + "description": "Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys." + } + }, + "AzureBatchCMKEffect": { + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "metadata": { + "displayName": "Azure Batch account should use customer-managed keys to encrypt data", + "description": "Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK." + } + }, + "EncryptedVMDisksEffect": { + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Disk encryption should be applied on virtual machines", + "description": "Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations." + } + } + }, + "policyDefinitionGroups": null, + "metadata": { + "version": "1.0.0", + "category": "Encryption" + }, + "PolicyDefinitions": [ + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580", + "policyDefinitionReferenceId": "ACRCmkDeny", + "parameters": { + "effect": { + "value": "[[parameters('ACRCmkEffect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67", + "policyDefinitionReferenceId": "AksCmkDeny", + "parameters": { + "effect": { + "value": "[[parameters('AksCmkEffect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8", + "policyDefinitionReferenceId": "WorkspaceCMK", + "parameters": { + "effect": { + "value": "[[parameters('WorkspaceCMKEffect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d", + "policyDefinitionReferenceId": "CognitiveServicesCMK", + "parameters": { + "effect": { + "value": "[[parameters('CognitiveServicesCMKEffect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f", + "policyDefinitionReferenceId": "CosmosCMKEffect", + "parameters": { + "effect": { + "value": "[[parameters('CosmosCMKEffect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae", + "policyDefinitionReferenceId": "DataBoxCMKEffect", + "parameters": { + "effect": { + "value": "[[parameters('DataBoxCMKEffect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7", + "policyDefinitionReferenceId": "StreamAnalyticsCMKEffect", + "parameters": { + "effect": { + "value": "[[parameters('StreamAnalyticsCMKEffect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385", + "policyDefinitionReferenceId": "SynapseWorkspaceCMKEffect", + "parameters": { + "effect": { + "value": "[[parameters('SynapseWorkspaceCMKEffect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25", + "policyDefinitionReferenceId": "StorageCMKEffect", + "parameters": { + "effect": { + "value": "[[parameters('StorageCMKEffect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833", + "policyDefinitionReferenceId": "MySQLCMKEffect", + "parameters": { + "effect": { + "value": "[[parameters('MySQLCMKEffect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274", + "policyDefinitionReferenceId": "PostgreSQLCMKEffect", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLCMKEffect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd", + "policyDefinitionReferenceId": "SqlServerTDECMKEffect", + "parameters": { + "effect": { + "value": "[[parameters('SqlServerTDECMKEffect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119", + "policyDefinitionReferenceId": "HealthcareAPIsCMKEffect", + "parameters": { + "effect": { + "value": "[[parameters('HealthcareAPIsCMKEffect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a", + "policyDefinitionReferenceId": "AzureBatchCMKEffect", + "parameters": { + "effect": { + "value": "[[parameters('AzureBatchCMKEffect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d", + "policyDefinitionReferenceId": "EncryptedVMDisksEffect", + "parameters": { + "effect": { + "value": "[[parameters('EncryptedVMDisksEffect')]" + } + } + } + ] + }, + "name": "Enforce-Encryption-CMK" + }, + { + "properties": { + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit. ", + "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "parameters": { + "AppServiceHttpEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below", + "description": "Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny." + } + }, + "AppServiceTlsVersionEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "App Service. Appends the AppService WebApp, APIApp, Function App to enable https only", + "description": "App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny." + } + }, + "AppServiceminTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "App Service. Select version minimum TLS Web App config", + "description": "App Service. Select version minimum TLS version for a Web App config to enforce" + } + }, + "APIAppServiceLatestTlsEffect": { + "metadata": { + "displayName": "App Service API App. Latest TLS version should be used in your API App", + "description": "App Service API App. Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + }, + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "APIAppServiceHttpsEffect": { + "metadata": { + "displayName": "App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "FunctionLatestTlsEffect": { + "metadata": { + "displayName": "App Service Function App. Latest TLS version should be used in your Function App", + "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + }, + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "FunctionServiceHttpsEffect": { + "metadata": { + "displayName": "App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "WebAppServiceLatestTlsEffect": { + "metadata": { + "displayName": "App Service Web App. Latest TLS version should be used in your Web App", + "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + }, + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "WebAppServiceHttpsEffect": { + "metadata": { + "displayName": "App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "AKSIngressHttpsOnlyEffect": { + "metadata": { + "displayName": "AKS Service. Enforce HTTPS ingress in Kubernetes cluster", + "description": "This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc." + }, + "type": "String", + "defaultValue": "deny", + "allowedValues": [ + "audit", + "deny", + "disabled" + ] + }, + "MySQLEnableSSLDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "MySQLEnableSSLEffect": { + "metadata": { + "displayName": "MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers", + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "MySQLminimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "MySQL database servers. Select version minimum TLS for MySQL server", + "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" + } + }, + "PostgreSQLEnableSSLDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "PostgreSQLEnableSSLEffect": { + "metadata": { + "displayName": "PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers", + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "PostgreSQLminimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "PostgreSQL database servers. Select version minimum TLS for MySQL server", + "description": "PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce" + } + }, + "RedisTLSDeployEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "RedisMinTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis", + "description": "Select version minimum TLS version for a Azure Cache for Redis to enforce" + } + }, + "RedisTLSEffect": { + "metadata": { + "displayName": "Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled", + "description": "Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "SQLManagedInstanceTLSDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "SQLManagedInstanceMinTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure Managed Instance.Select version minimum TLS for Azure Managed Instance", + "description": "Select version minimum TLS version for Azure Managed Instanceto to enforce" + } + }, + "SQLManagedInstanceTLSEffect": { + "metadata": { + "displayName": "SQL Managed Instance should have the minimal TLS version of 1.2", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "SQLServerTLSDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "SQLServerminTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure SQL Database.Select version minimum TLS for Azure SQL Database", + "description": "Select version minimum TLS version for Azure SQL Database to enforce" + } + }, + "SQLServerTLSEffect": { + "metadata": { + "displayName": "Azure SQL Database should have the minimal TLS version of 1.2", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "StorageDeployHttpsEnabledEffect": { + "metadata": { + "displayName": "Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking" + }, + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "StorageminimumTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_1", + "TLS1_0" + ], + "metadata": { + "displayName": "Storage Account select minimum TLS version", + "description": "Select version minimum TLS version on Azure Storage Account to enforce" + } + }, + "StorageHttpsEnabledEffect": { + "metadata": { + "displayName": "Azure Storage Account. Secure transfer to storage accounts should be enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking" + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitionGroups": null, + "metadata": { + "version": "1.0.0", + "category": "Encryption" + }, + "PolicyDefinitions": [ + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly')]", + "policyDefinitionReferenceId": "AppServiceHttpEffect", + "parameters": { + "effect": { + "value": "[[parameters('AppServiceHttpEffect')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS')]", + "policyDefinitionReferenceId": "AppServiceminTlsVersion", + "parameters": { + "effect": { + "value": "[[parameters('AppServiceTlsVersionEffect')]" + }, + "minTlsVersion": { + "value": "[[parameters('AppServiceminTlsVersion')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e", + "policyDefinitionReferenceId": "APIAppServiceLatestTlsEffect", + "parameters": { + "effect": { + "value": "[[parameters('APIAppServiceLatestTlsEffect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", + "policyDefinitionReferenceId": "FunctionLatestTlsEffect", + "parameters": { + "effect": { + "value": "[[parameters('FunctionLatestTlsEffect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", + "policyDefinitionReferenceId": "WebAppServiceLatestTlsEffect", + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceLatestTlsEffect')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http')]", + "policyDefinitionReferenceId": "APIAppServiceHttpsEffect", + "parameters": { + "effect": { + "value": "[[parameters('APIAppServiceHttpsEffect')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http')]", + "policyDefinitionReferenceId": "FunctionServiceHttpsEffect", + "parameters": { + "effect": { + "value": "[[parameters('FunctionServiceHttpsEffect')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http')]", + "policyDefinitionReferenceId": "WebAppServiceHttpsEffect", + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceHttpsEffect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "policyDefinitionReferenceId": "AKSIngressHttpsOnlyEffect", + "parameters": { + "effect": { + "value": "[[parameters('AKSIngressHttpsOnlyEffect')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement')]", + "policyDefinitionReferenceId": "MySQLEnableSSLDeployEffect", + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http')]", + "policyDefinitionReferenceId": "MySQLEnableSSLEffect", + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement')]", + "policyDefinitionReferenceId": "PostgreSQLEnableSSLDeployEffect", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http')]", + "policyDefinitionReferenceId": "PostgreSQLEnableSSLEffect", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement')]", + "policyDefinitionReferenceId": "RedisTLSDeployEffect", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort')]", + "policyDefinitionReferenceId": "RedisdisableNonSslPort", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http')]", + "policyDefinitionReferenceId": "RedisDenyhttps", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS')]", + "policyDefinitionReferenceId": "SQLManagedInstanceTLSDeployEffect", + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS')]", + "policyDefinitionReferenceId": "SQLManagedInstanceTLSEffect", + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS')]", + "policyDefinitionReferenceId": "SQLServerTLSDeployEffect", + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS')]", + "policyDefinitionReferenceId": "SQLServerTLSEffect", + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS')]", + "policyDefinitionReferenceId": "StorageHttpsEnabledEffect", + "parameters": { + "effect": { + "value": "[[parameters('StorageHttpsEnabledEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('StorageMinimumTlsVersion')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement')]", + "policyDefinitionReferenceId": "StorageDeployHttpsEnabledEffect", + "parameters": { + "effect": { + "value": "[[parameters('StorageDeployHttpsEnabledEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('StorageMinimumTlsVersion')]" + } + } + } + ] + }, + "name": "Enforce-EncryptTransit" + }, + { + "properties": { + "description": "Deploy Azure Security Center configuration", + "displayName": "Deploy Azure Security Center configuration", + "parameters": { + "emailSecurityContact": { + "type": "string", + "metadata": { + "displayName": "Security contacts email address", + "description": "Provide email address for Azure Security Center contact details" + } + }, + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Primary Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.", + "strongType": "omsWorkspace" + } + }, + "ascExportResourceGroupName": { + "type": "String", + "metadata": { + "displayName": "Resource Group name for the export to Log Analytics workspace configuration", + "description": "The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured." + } + }, + "ascExportResourceGroupLocation": { + "type": "String", + "metadata": { + "displayName": "Resource Group location for the export to Log Analytics workspace configuration", + "description": "The location where the resource group and the export to Log Analytics workspace configuration are created." + } + }, + "pricingTierVMs": { + "type": "string", + "metadata": { + "displayName": "Azure Defender pricing tier for Virtual Machines", + "description": "Azure Defender pricing tier for Virtual Machines" + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "pricingTierSqlServers": { + "type": "string", + "metadata": { + "displayName": "Azure Defender pricing tier for SQL Servers", + "description": "Azure Defender pricing tier for SQL Servers" + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "pricingTierAppServices": { + "type": "string", + "metadata": { + "displayName": "Azure Defender pricing tier for App Services", + "description": "Azure Defender pricing tier for App Services" + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "pricingTierStorageAccounts": { + "type": "string", + "metadata": { + "displayName": "Azure Defender pricing tier for Storage Accounts", + "description": "Azure Defender pricing tier for Storage Accounts" + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "pricingTierSqlServerVirtualMachines": { + "type": "string", + "metadata": { + "displayName": "Azure Defender pricing tier for SQL Server Virtual Machines", + "description": "Azure Defender pricing tier for SQL Server Virtual Machines" + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "pricingTierKubernetesService": { + "type": "string", + "metadata": { + "displayName": "Azure Defender pricing tier for AKS", + "description": "Azure Defender pricing tier for AKS" + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "pricingTierContainerRegistry": { + "type": "string", + "metadata": { + "displayName": "Azure Defender pricing tier for ACR", + "description": "Azure Defender pricing tier for ACR" + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "pricingTierKeyVaults": { + "type": "string", + "metadata": { + "displayName": "Azure Defender pricing tier for AKV", + "description": "Azure Defender pricing tier for AKV" + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "pricingTierDns": { + "type": "string", + "metadata": { + "displayName": "Azure Defender pricing tier for DNS", + "description": "Azure Defender pricing tier for DNS" + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "pricingTierArm": { + "type": "string", + "metadata": { + "displayName": "Azure Defender pricing tier for Azure Resource Manager", + "description": "Azure Defender pricing tier for Azure Resource Manager" + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + } + }, + "metadata": { + "version": "1.0.0", + "category": "Security Center" + }, + "PolicyDefinitions": [ + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-Defender-VMs')]", + "policyDefinitionReferenceId": "defenderForVM", + "parameters": { + "pricingTier": { + "value": "[[parameters('pricingTierVMs')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-Defender-Sql')]", + "policyDefinitionReferenceId": "defenderForSqlServers", + "parameters": { + "pricingTier": { + "value": "[[parameters('pricingTierSqlServers')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-Defender-AppSrv')]", + "policyDefinitionReferenceId": "defenderForAppServices", + "parameters": { + "pricingTier": { + "value": "[[parameters('pricingTierAppServices')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-Defender-SA')]", + "policyDefinitionReferenceId": "defenderForStorageAccounts", + "parameters": { + "pricingTier": { + "value": "[[parameters('pricingTierStorageAccounts')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-Defender-SQLVM')]", + "policyDefinitionReferenceId": "defenderForSqlServerVirtualMachines", + "parameters": { + "pricingTier": { + "value": "[[parameters('pricingTierSqlServerVirtualMachines')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-Defender-AKS')]", + "policyDefinitionReferenceId": "defenderForKubernetesService", + "parameters": { + "pricingTier": { + "value": "[[parameters('pricingTierKubernetesService')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-Defender-ACR')]", + "policyDefinitionReferenceId": "defenderForContainerRegistry", + "parameters": { + "pricingTier": { + "value": "[[parameters('pricingTierContainerRegistry')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-Defender-AKV')]", + "policyDefinitionReferenceId": "defenderForKeyVaults", + "parameters": { + "pricingTier": { + "value": "[[parameters('pricingTierKeyVaults')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-Defender-DNS')]", + "policyDefinitionReferenceId": "defenderForDns", + "parameters": { + "pricingTier": { + "value": "[[parameters('pricingTierDns')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-Defender-ARM')]", + "policyDefinitionReferenceId": "defenderForArm", + "parameters": { + "pricingTier": { + "value": "[[parameters('pricingTierArm')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts')]", + "policyDefinitionReferenceId": "securityEmailContact", + "parameters": { + "emailSecurityContact": { + "value": "[[parameters('emailSecurityContact')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9", + "policyDefinitionReferenceId": "ascExport", + "parameters": { + "resourceGroupName": { + "value": "[[parameters('ascExportResourceGroupName')]" + }, + "resourceGroupLocation": { + "value": "[[parameters('ascExportResourceGroupLocation')]" + }, + "workspaceResourceId": { + "value": "[[parameters('logAnalytics')]" + + } + } + } + ] + }, + "name": "Deploy-ASC-Config" + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "[variables('initiatives').policySetDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "dependsOn": [ + "policyDefinitionCopy" + ], + "copy": { + "name": "policySetDefinitionCopy", + "count": "[length(variables('initiatives').policySetDefinitions)]" + }, + "properties": { + "displayName": "[variables('initiatives').policySetDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('initiatives').policySetDefinitions[copyIndex()].properties.description]", + "parameters": "[variables('initiatives').policySetDefinitions[copyIndex()].properties.parameters]", + "policyDefinitions": "[variables('initiatives').policySetDefinitions[copyIndex()].properties.policyDefinitions]", + "metadata": "[variables('initiatives').policySetDefinitions[copyIndex()].properties.metadata]" + } + } + ] +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/roleAssignments/azOpsRoleAssignment.json b/eslzArm/managementGroupTemplates/roleAssignments/azOpsRoleAssignment.json new file mode 100644 index 0000000000..b4a1011f2a --- /dev/null +++ b/eslzArm/managementGroupTemplates/roleAssignments/azOpsRoleAssignment.json @@ -0,0 +1,29 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string" + }, + "principalId": { + "type": "array" + } + }, + "variables": { + "formattedPrincipalId": "[replace(replace(replace(string(parameters('principalId')), '\"', ''), '[', ''), ']', '')]", + "roleDefinitionOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('roleDefinitionOwner'))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('formattedPrincipalId')))]", + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[variables('roleDefinitionId')]", + "principalId": "[variables('formattedPrincipalId')]" + } + } + ] +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/roleAssignments/roleAssignment.json b/eslzArm/managementGroupTemplates/roleAssignments/roleAssignment.json new file mode 100644 index 0000000000..1ae305a293 --- /dev/null +++ b/eslzArm/managementGroupTemplates/roleAssignments/roleAssignment.json @@ -0,0 +1,34 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string" + }, + "principalId": { + "type": "string" + }, + "roleDefinitionId": { + "type": "string" + }, + "principalType": { + "type": "string", + "defaultValue": "ServicePrincipal" + } + }, + "variables": { + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', parameters('roleDefinitionId'))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[guid(concat(parameters('topLevelManagementGroupPrefix'), parameters('roleDefinitionId')))]", + "properties": { + "principalType": "[parameters('principalType')]", + "roleDefinitionId": "[variables('roleDefinitionId')]", + "principalId": "[parameters('principalId')]" + } + } + ] +} \ No newline at end of file diff --git a/eslzArm/managementGroupTemplates/subscriptionOrganization/subscriptionOrganization.json b/eslzArm/managementGroupTemplates/subscriptionOrganization/subscriptionOrganization.json new file mode 100644 index 0000000000..b49637311d --- /dev/null +++ b/eslzArm/managementGroupTemplates/subscriptionOrganization/subscriptionOrganization.json @@ -0,0 +1,29 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "targetManagementGroupId": { + "type": "string", + "metadata": { + "description": "Provide the management group id (e.g. 'eslz-corp')" + } + }, + "subscriptionId": { + "type": "string", + "metadata": { + "description": "Provide the subscriptionId you will place into the management group" + } + } + }, + "resources": [ + { + "scope": "/", + "type": "Microsoft.Management/managementGroups/subscriptions", + "apiVersion": "2020-05-01", + "name": "[concat(parameters('targetManagementGroupId'), '/', parameters('subscriptionId'))]", + "properties": { + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/portal backup.json b/eslzArm/portal backup.json new file mode 100644 index 0000000000..c25e11eada --- /dev/null +++ b/eslzArm/portal backup.json @@ -0,0 +1,2013 @@ +{ + "$schema": "", + "view": { + "kind": "Form", + "properties": { + "title": "Enterprise-Scale Landing Zones", + "steps": [ + { + "name": "basics", + "label": "Basics", + "elements": [ + { + "name": "resourceScope", + "type": "Microsoft.Common.ResourceScope" + } + ] + }, + { + "name": "lzSettings", + "label": "Enterprise-Scale company prefix", + "subLabel": { + "preValidation": "Provide a company prefix for the management group structure that will be created.", + "postValidation": "Done" + }, + "bladeTitle": "Company prefix", + "elements": [ + { + "name": "info", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "text": "Enterprise-Scale ARM deployment requires access at the tenant root (/) scope. Visit this link to ensure you have the appropriate RBAC permission to complete the deployment", + "uri": "https://docs.microsoft.com/azure/role-based-access-control/elevate-access-global-admin", + "style": "Info" + } + }, + { + "name": "mgmtGroup", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Enterprise-Scale will create the management group hierarchy under the Tenant Root Group with the prefix provided at this step.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-group-and-subscription-organization" + } + } + }, + { + "name": "esMgmtGroup", + "type": "Microsoft.Common.TextBox", + "label": "Management Group prefix", + "toolTip": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale.", + "defaultValue": "", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z-]{1,10}$", + "validationMessage": "The prefix must be 1-10 characters." + } + }, + { + "name": "subOrgs", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Dedicated subscriptions are recommended for the various platform components to ensure scale, sustainability, and segregation of duties. However, a single subscription can also be used in case this is not a concern (i.e., small enterprises).", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-group-and-subscription-organization" + } + } + }, + { + "name": "subOrgsOption", + "type": "Microsoft.Common.OptionsGroup", + "label": "Select dedicated subscriptions or single subscription for platform resources", + "defaultValue": "Dedicated (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continious compliance.", + "constraints": { + "allowedValues": [ + { + "label": "Dedicated (recommended)", + "value": "Dedicated" + }, + { + "label": "Single", + "value": "Single" + } + ] + }, + "visible": true + }, + { + "name": "esSingleSubSection", + "type": "Microsoft.Common.Section", + "label": "Single platform subscription", + "elements": [ + { + "name": "singleSubText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Select the dedicated, single subscription that will be used for all platform resources during deployment." + } + }, + { + "type":"Microsoft.Common.SubscriptionSelector", + "name": "esSingleSub", + "label": "Single platform subscription" + } + ], + "visible": "[equals(steps('lzSettings').subOrgsOption, 'Single')]" + } + ] + }, + { + "name": "esGoalState", + "label": "Platform management, security, and governance", + "subLabel": { + "preValidation": "", + "postValidation": "" + }, + "bladeTitle": "lzGs", + "elements": [ + { + "name": "multiPlatformMgmtSub", + "type": "Microsoft.Common.InfoBox", + "visible": "[not(equals(steps('lzSettings').subOrgsOption, 'Single'))]", + "options": { + "text": "To enable platform management, security and governance, you must allocate a management Subscription. Please note, this Subscription will be moved to the platform Management Group, and ARM will deploy a Log Analytics workspace and requisite settings. We recommend using a new Subscription with no existing resources. Note that Azure Policy will be used to govern the configuration for the platform at scale.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-and-monitoring", + "style": "Info" + } + }, + { + "name": "singlePlatformMgmtSub", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('lzSettings').subOrgsOption, 'Single')]", + "options": { + "text": "To enable platform management, security and governance, you can configure core infra such as Log Analytics, Azure Security Center and additional monitoring solutions to your dedicated platform subscription. Note that Azure Policy will be used to govern the configuration for the platform at scale.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-and-monitoring", + "style": "Info" + } + }, + { + "name": "esLogAnalytics", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Log Analytics workspace and enable monitoring for your platform and resources", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continious compliance.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esLogRetention", + "type": "Microsoft.Common.Slider", + "min": 30, + "max": 730, + "label": "Log Analytics Data Retention (days)", + "subLabel": "Days", + "defaultValue": 30, + "showStepMarkers": false, + "toolTip": "Select retention days for Azure logs. Default is 30 days.", + "constraints": { + "required": false + }, + "visible": "[equals(steps('esGoalState').esLogAnalytics,'Yes')]" + }, + { + "name": "esMgmtSubSection", + "type": "Microsoft.Common.Section", + "label": "Management subscription", + "elements": [ + { + "type":"Microsoft.Common.SubscriptionSelector", + "name": "esMgmtSub", + "label": "Management subscription" + } + ], + "visible": "[and(equals(steps('esGoalState').esLogAnalytics, 'Yes'), not(equals(steps('lzSettings').subOrgsOption, 'Single')))]" + }, + { + "name": "monitoring", + "type": "Microsoft.Common.TextBlock", + "visible": "[equals(steps('esGoalState').esLogAnalytics,'Yes')]", + "options": { + "text": "Select which Azure Monitor solutions you will enable for your Log Analytics workspace", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/azure-monitor/insights/solutions" + } + } + }, + { + "name": "esAgentSolution", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Agent Health solution", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continous compliance", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').esLogAnalytics,'Yes')]" + }, + { + "name": "esChangeTracking", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Change Tracking solution", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continous compliance", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').esLogAnalytics,'Yes')]" + }, + { + "name": "esUpdateMgmt", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Update Management solution", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continous compliance", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').esLogAnalytics,'Yes')]" + }, + { + "name": "esActivityLog", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Activity Log solution", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continous compliance", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').esLogAnalytics,'Yes')]" + }, + { + "name": "esVmInsights", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy VM Insights solution", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continous compliance", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').esLogAnalytics,'Yes')]" + }, + { + "name": "esServiceMap", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Service Map solution", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continous compliance", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').esLogAnalytics,'Yes')]" + }, + { + "name": "esSqlAssessment", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy SQL Assessment solution", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continous compliance", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').esLogAnalytics,'Yes')]" + }, + { + "name": "textBlock0", + "type": "Microsoft.Common.TextBlock", + "visible": "[equals(steps('esGoalState').esLogAnalytics,'Yes')]", + "options": { + "text": "Select which Azure Security solutions you will enable.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/security/fundamentals/overview" + } + } + }, + { + "name": "esAsc", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Azure Security Center and enable security monitoring for your platform and resources", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continous compliance", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').esLogAnalytics,'Yes')]" + }, + { + "name": "esAscEmail", + "type": "Microsoft.Common.TextBox", + "label": "Azure Security Center Email Contact", + "toolTip": "Email address to get email notifications from Azure Security Center", + "visible": "[equals(steps('esGoalState').esAsc,'Yes')]", + "defaultValue": "", + "constraints": { + "required": "[equals(steps('esGoalState').esAsc,'Yes')]", + "regex": "^[\\w-\\.]+@([\\w-]+\\.)+[\\w-]{2,4}$", + "validationMessage": "Please provide a valid email address" + } + }, + { + "name": "esAscVms", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Defender for servers", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for all servers.", + "visible": "[equals(steps('esGoalState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Standard" + }, + { + "label": "No, Azure Defender Off", + "value": "Free" + } + ] + } + }, + { + "name": "esAscApps", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Defender for AppServices", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for AppServices.", + "visible": "[equals(steps('esGoalState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Standard" + }, + { + "label": "No, Azure Defender Off", + "value": "Free" + } + ] + } + }, + { + "name": "esAscStorage", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Defender for Storage", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for Storage.", + "visible": "[equals(steps('esGoalState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Standard" + }, + { + "label": "No, Azure Defender Off", + "value": "Free" + } + ] + } + }, + { + "name": "esAscSql", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Defender for Azure SQL Database", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for Azure SQL Database.", + "visible": "[equals(steps('esGoalState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Standard" + }, + { + "label": "No, Azure Defender Off", + "value": "Free" + } + ] + } + }, + { + "name": "esAscSqlOnVm", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Defender for SQL servers on machines", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for SQL servers on machines.", + "visible": "[equals(steps('esGoalState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Standard" + }, + { + "label": "No, Azure Defender Off", + "value": "Free" + } + ] + } + }, + { + "name": "esAscKeyVault", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Defender for Key Vault", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for Key Vault.", + "visible": "[equals(steps('esGoalState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Standard" + }, + { + "label": "No, Azure Defender Off", + "value": "Free" + } + ] + } + }, + { + "name": "esAscArm", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Defender for Azure Resource Manager", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for Resource Manager.", + "visible": "[equals(steps('esGoalState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Standard" + }, + { + "label": "No, Azure Defender Off", + "value": "Free" + } + ] + } + }, + { + "name": "esAscDns", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Defender for DNS", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for DNS.", + "visible": "[equals(steps('esGoalState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Standard" + }, + { + "label": "No, Azure Defender Off", + "value": "Free" + } + ] + } + }, + { + "name": "esAscKubernetes", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Defender for Kubernetes", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for Kubernetes.", + "visible": "[equals(steps('esGoalState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Standard" + }, + { + "label": "No, Azure Defender Off", + "value": "Free" + } + ] + } + }, + { + "name": "esAscRegistries", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Defender for Container registries", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Defender will be enabled for Container registries.", + "visible": "[equals(steps('esGoalState').esAsc,'Yes')]", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Standard" + }, + { + "label": "No, Azure Defender Off", + "value": "Free" + } + ] + } + }, + { + "name": "esSecuritySolution", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Azure Sentinel", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continous compliance", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').esLogAnalytics,'Yes')]" + } + ] + }, + { + "name": "lzDevOps", + "label": "Platform DevOps and automation", + "subLabel": {}, + "bladeTitle": "lz Dev Ops", + "elements": [ + { + "name": "info", + "type": "Microsoft.Common.InfoBox", + "visible": "[or(not(empty(steps('esGoalState').esMgmtSubSection.esMgmtSub)), not(empty(steps('lzSettings').esSingleSubSection.esSingleSub)))]", + "options": { + "text": "Enterprise-Scale provides an integrated CICD pipeline via AzOps that can be used with either GitHub Actions or Azure DevOps pipelines.", + "uri": "https://github.com/azure/azops-accelerator/wiki/introduction", + "style": "Info" + } + }, + { + "name": "correction", + "type": "Microsoft.Common.InfoBox", + "visible": "[and(or(empty(steps('esGoalState').esMgmtSubSection.esMgmtSub), empty(steps('lzSettings').esSingleSubSection.esSingleSub)))]", + "options": { + "text": "Enterprise-Scale provides an integrated CICD pipeline via AzOps that can be used with either GitHub Actions or Azure DevOps pipelines, but requires a dedicated subscription for platform management in the previous step. Please add a subscription or continue without setting up the CICD integration.", + "uri": "https://github.com/azure/azops-accelerator/wiki/introduction", + "style": "Warning" + } + }, + { + "name": "cicdOption", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy integrated CICD pipeline?", + "defaultValue": "Yes (recommended)", + "toolTip": "", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ], + "required": true + }, + "visible": "[or(not(empty(steps('esGoalState').esMgmtSubSection.esMgmtSub)), not(empty(steps('lzSettings').esSingleSubSection.esSingleSub)))]" + }, + { + "name": "Instructions", + "type": "Microsoft.Common.TextBlock", + "visible": "[equals(steps('lzDevOps').cicdOption,'Yes')]", + "options": { + "text": "Provide the credentials to initialize the repository with the ARM templates for Enterprise-Scale.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-group-and-subscription-organization" + } + } + }, + { + "name": "optionsGroup1", + "type": "Microsoft.Common.OptionsGroup", + "label": "Select CICD option", + "defaultValue": "GitHub Actions", + "toolTip": "Enterprise-Scale will provide options for both GitHub Actions and Azure DevOps pipelines. For now, only GitHub Actions is available", + "constraints": { + "allowedValues": [ + { + "label": "GitHub Actions", + "value": "actions" + } + ], + "required": true + }, + "visible": "[equals(steps('lzDevOps').cicdOption,'Yes')]" + }, + { + "name": "esGit", + "type": "Microsoft.Common.TextBox", + "label": "GitHub organization or username", + "toolTip": "Provide Git org/username.", + "visible": "[equals(steps('lzDevOps').cicdOption,'Yes')]", + "defaultValue": "", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z-]{1,39}$", + "validationMessage": "The GitHub org/username must be 1-39 characters." + } + }, + { + "name": "esGitRepoName", + "type": "Microsoft.Common.TextBox", + "label": "New GitHub repository name", + "toolTip": "Provide a name for the new repository that will be created", + "defaultValue": "", + "visible": "[equals(steps('lzDevOps').cicdOption,'Yes')]", + "placeholder": "", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z-]{1,100}$", + "validationMessage": "The repository name must be 1-100 characters." + } + }, + { + "name": "esPaToken", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "GitHub personal access token", + "confirmPassword": "Confirm PA Token" + }, + "toolTip": "Provide the personal access token to access your GitHub account or organization. For more information see this link: https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token", + "constraints": { + "required": true, + "validationMessage": "Password must be at least 8 characters long, contain only numbers and letters" + }, + "options": { + "hideConfirmation": true + }, + "visible": "[equals(steps('lzDevOps').cicdOption,'Yes')]" + }, + { + "name": "spnSection", + "type": "Microsoft.Common.Section", + "label": "", + "elements": [ + { + "name": "esServicePrincipal", + "type": "Microsoft.Common.ServicePrincipalSelector", + "visible": "[equals(steps('lzDevOps').cicdOption,'Yes')]", + "label": { + "password": "Password", + "certificateThumbprint": "Certificate thumbprint", + "authenticationType": "Authentication Type", + "sectionHeader": "Service Principal" + }, + "toolTip": { + "password": "Provide the application secret as it will be used to authenticate with Azure AD", + "certificateThumbprint": "Certificate thumbprint", + "authenticationType": "Authentication Type" + }, + "defaultValue": { + "principalId": "", + "name": "" + }, + "constraints": { + "required": true + }, + "options": { + "hideCertificate": true + } + } + ], + "visible": "[equals(steps('lzDevOps').cicdOption,'Yes')]" + } + ] + }, + { + "name": "esConnectivityGoalState", + "label": "Network topology and connectivity", + "subLabel": { + "preValidation": "", + "postValidation": "" + }, + "bladeTitle": "lzGs", + "elements": [ + { + "name": "multiPlatformConnectivitySub", + "type": "Microsoft.Common.InfoBox", + "visible": "[not(equals(steps('lzSettings').subOrgsOption, 'Single'))]", + "options": { + "text": "To enable network topology and connectivity, you must allocate a dedicated connectivity Subscription. Please note, this Subscription will be moved to the connectivity Management Group, and ARM will deploy the first hub virtual network for either a hub and spoke or Virtual WAN network topology. Additional networking platform resources such as gateways or Azure Firewall can be deployed. We recommend using a new dedicated Subscription with no existing resources.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/define-an-azure-network-topology", + "style": "Info" + } + }, + { + "name": "singlePlatformConnectivitySub", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('lzSettings').subOrgsOption, 'Single')]", + "options": { + "text": "To enable network topology and connectivity, you can select the preferred networking topology, and deploy this into the dedicated platform subscription. Additional networking platform resources such as gateways or Azure Firewall can also be deployed.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/define-an-azure-network-topology", + "style": "Info" + } + }, + { + "name": "esHub", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy networking topology", + "defaultValue": "No", + "toolTip": "Select the preferred network topology. If third-party NVA is a requirement, you must deploy this into the connectivity subscription post the deployment.", + "constraints": { + "allowedValues": [ + { + "label": "Hub and spoke with Azure Firewall", + "value": "vhub" + }, + { + "label": "Hub and spoke with your own third-party NVA", + "value": "nva" + }, + { + "label": "Virtual WAN (Microsoft managed)", + "value": "vwan" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esNwSubSection", + "type": "Microsoft.Common.Section", + "label": "Connectivity subscription", + "elements": [ + { + "type":"Microsoft.Common.SubscriptionSelector", + "name": "esNwSub", + "label": "Connectivity subscription" + } + ], + "visible": "[and(not(equals(steps('esConnectivityGoalState').esHub, 'No')), not(equals(steps('lzSettings').subOrgsOption, 'Single')))]" + }, + { + "name": "esAddressHub", + "type": "Microsoft.Common.TextBox", + "label": "Address space (required for hub virtual hub)", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.100.0.0/16)", + "defaultValue": "10.100.0.0/16", + "visible": "[not(equals(steps('esConnectivityGoalState').esHub, 'No'))]", + "constraints": { + "required": true, + "validationMessage": "The virtual hubs network's address space, specified as one address prefixes in CIDR notation (e.g. 192.168.1.0/24)" + } + }, + { + "name": "esLocationsApi", + "type": "Microsoft.Solutions.ArmApiControl", + "request": { + "method": "GET", + "path": "locations?api-version=2019-11-01" + } + }, + { + "name": "esNwLocation", + "type": "Microsoft.Common.DropDown", + "label": "Region for the first virtual network hub", + "filter": true, + "toolTip": "Select the target region for you connectivity deployment (requires you to provide a subscriptionId for connectivity)", + "constraints": { + "allowedValues": "[map(steps('esConnectivityGoalState').esLocationsApi.value,(item) => parse(concat('{\"label\":\"',item.displayName,'\",\"value\":\"',item.name,'\"}')))]", + "required": true + }, + "visible": "[not(equals(steps('esConnectivityGoalState').esHub, 'No'))]" + }, + { + "name": "esDdoS", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable DDoS Protection Standard", + "defaultValue": "Yes (recommended)", + "visible": "[not(equals(steps('esConnectivityGoalState').esHub, 'No'))]", + "toolTip": "If 'Yes' is selected when also adding a connectivity subscription, DDoS Protection Standard will be enabled.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esVpnGw", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy VPN Gateway", + "defaultValue": "No", + "visible": "[not(equals(steps('esConnectivityGoalState').esHub, 'No'))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy VPN gateway", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esGwRegionalOrAz", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy zone redundant or regional VPN Gateway", + "defaultValue": "Zone redundant (recommended)", + "visible": "[and(equals(steps('esConnectivityGoalState').esVpnGw,'Yes'),or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast')))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Virtual Gateway to the selected region and availability zones.", + "constraints": { + "allowedValues": [ + { + "label": "Zone redundant (recommended)", + "value": "Zone" + }, + { + "label": "Regional", + "value": "Regional" + } + ] + } + }, + { + "name": "esGwNoAzSku", + "type": "Microsoft.Common.DropDown", + "label": "Select the VPN Gateway SKU", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), not(or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast'))))]", + "toolTip": "Select the required SKU for the VPN gateway.", + "constraints": { + "allowedValues": [ + { + "label": "VpnGw2", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 500 IKEv2/OpenVPN connections, aggregate throughput is 1.25 Gbps", + "value": "VpnGw2" + }, + { + "label": "VpnGw3", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 1000 IKEv2/OpenVPN connections, aggregate throughput is 2.5 Gbps", + "value": "VpnGw3" + }, + { + "label": "VpnGw4", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 5000 IKEv2/OpenVPN connections, aggregate throughput is 5 Gbps", + "value": "VpnGw4" + }, + { + "label": "VpnGw5", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 10000 IKEv2/OpenVPN connections, aggregate throughput is 10 Gbps", + "value": "VpnGw5" + } + ] + } + }, + { + "name": "esGwAzSku", + "type": "Microsoft.Common.DropDown", + "label": "Select the VPN Gateway SKU", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), equals(steps('esConnectivityGoalState').esGwRegionalOrAz, 'Zone') ,or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast')))]", + "toolTip": "Select the required SKU for the VPN gateway.", + "constraints": { + "allowedValues": [ + { + "label": "VpnGw2AZ", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 500 IKEv2/OpenVPN connections, aggregate throughput is 1.25 Gbps", + "value": "VpnGw2AZ" + }, + { + "label": "VpnGw3AZ", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 1000 IKEv2/OpenVPN connections, aggregate throughput is 2.5 Gbps", + "value": "VpnGw3AZ" + }, + { + "label": "VpnGw4AZ", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 5000 IKEv2/OpenVPN connections, aggregate throughput is 5 Gbps", + "value": "VpnGw4AZ" + }, + { + "label": "VpnGw5AZ", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 10000 IKEv2/OpenVPN connections, aggregate throughput is 10 Gbps", + "value": "VpnGw5AZ" + } + ] + } + }, + { + "name": "esGwRegionalSku", + "type": "Microsoft.Common.DropDown", + "label": "Select the VPN Gateway SKU", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(equals(steps('esConnectivityGoalState').esVpnGw,'Yes'), equals(steps('esConnectivityGoalState').esGwRegionalOrAz, 'Regional') ,or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast')))]", + "toolTip": "Select the required SKU for the VPN gateway.", + "constraints": { + "allowedValues": [ + { + "label": "VpnGw2", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 500 IKEv2/OpenVPN connections, aggregate throughput is 1.25 Gbps", + "value": "VpnGw2" + }, + { + "label": "VpnGw3", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 1000 IKEv2/OpenVPN connections, aggregate throughput is 2.5 Gbps", + "value": "VpnGw3" + }, + { + "label": "VpnGw4", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 5000 IKEv2/OpenVPN connections, aggregate throughput is 5 Gbps", + "value": "VpnGw4" + }, + { + "label": "VpnGw5", + "description": "Supports BGP, max 30 S2S/VNet-VNet tunnels, max 128 P2S SSTP connections, max 10000 IKEv2/OpenVPN connections, aggregate throughput is 10 Gbps", + "value": "VpnGw5" + } + ] + } + }, + { + "name": "esAddressVpnOrEr", + "type": "Microsoft.Common.TextBox", + "label": "Subnet for VPN/ExpressRoute Gateways", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.100.1.0/24)", + "defaultValue": "10.100.1.0/24", + "visible": "[or(equals(steps('esConnectivityGoalState').esErGw,'Yes'),equals(steps('esConnectivityGoalState').esVpnGw,'Yes'))]", + "constraints": { + "required": true, + "validationMessage": "The subnet network's address space, specified as one address prefixes in CIDR notation (e.g. 192.168.1.0/24)" + } + }, + { + "name": "esErGw", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy ExpressRoute Gateway", + "defaultValue": "No", + "visible": "[not(equals(steps('esConnectivityGoalState').esHub, 'No'))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Express Route gateway", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esErRegionalOrAz", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy zone redundant or regional ExpressRoute Gateway", + "defaultValue": "Zone redundant (recommended)", + "visible": "[and(equals(steps('esConnectivityGoalState').esErGw,'Yes'),or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast')))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Express Route Gateway to the selected region and availability zones.", + "constraints": { + "allowedValues": [ + { + "label": "Zone redundant (recommended)", + "value": "Zone" + }, + { + "label": "Regional", + "value": "Regional" + } + ] + } + }, + { + "name": "esErAzSku", + "type": "Microsoft.Common.DropDown", + "label": "Select the ExpressRoute Gateway SKU", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(equals(steps('esConnectivityGoalState').esErGw,'Yes'), equals(steps('esConnectivityGoalState').esErRegionalOrAz, 'Zone'), or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast')))]", + "toolTip": "Select the required SKU for the Express Route gateway.", + "constraints": { + "allowedValues": [ + { + "label": "ErGw1AZ", + "description": "Megabits per second 1000, packets per second 100,000, connections per second 7000, max number of cicuit connections is 4", + "value": "ErGw1AZ" + }, + { + "label": "ErGw2AZ", + "description": "Megabits per second 2000, packets per second 250,000, connections per second 14000, max number of cicuit connections is 8", + "value": "ErGw2AZ" + }, + { + "label": "ErGw3AZ", + "description": "Megabits per second 10,000, packets per second 1,000,000, connections per second 28,000, max number of cicuit connections is 16", + "value": "ErGw3AZ" + } + ] + } + }, + { + "name": "esErRegionalSku", + "type": "Microsoft.Common.DropDown", + "label": "Select the ExpressRoute Gateway SKU", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(equals(steps('esConnectivityGoalState').esErGw,'Yes'), equals(steps('esConnectivityGoalState').esErRegionalOrAz, 'Regional'), or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast')))]", + "toolTip": "Select the required SKU for the Express Route gateway.", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "description": "Megabits per second 1000, packets per second 100,000, connections per second 7000, max number of cicuit connections is 4", + "value": "Standard" + }, + { + "label": "HighPerformance", + "description": "Megabits per second 2000, packets per second 250,000, connections per second 14000, max number of cicuit connections is 8", + "value": "HighPerformance" + }, + { + "label": "UltraPerformance", + "description": "Megabits per second 10,000, packets per second 1,000,000, connections per second 28,000, max number of cicuit connections is 16", + "value": "UltraPerformance" + } + ] + } + }, + { + "name": "esErNoAzSku", + "type": "Microsoft.Common.DropDown", + "label": "Select the ExpressRoute Gateway SKU", + "defaultValue": "", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[and(equals(steps('esConnectivityGoalState').esErGw,'Yes'), not(or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast'))))]", + "toolTip": "Select the required SKU for the Express Route gateway.", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "description": "Megabits per second 1000, packets per second 100,000, connections per second 7000, max number of cicuit connections is 4", + "value": "Standard" + }, + { + "label": "HighPerformance", + "description": "Megabits per second 2000, packets per second 250,000, connections per second 14000, max number of cicuit connections is 8", + "value": "HighPerformance" + }, + { + "label": "UltraPerformance", + "description": "Megabits per second 10,000, packets per second 1,000,000, connections per second 28,000, max number of cicuit connections is 16", + "value": "UltraPerformance" + } + ] + } + }, + { + "name": "esAzFw", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Azure Firewall", + "defaultValue": "Yes (recommended)", + "visible": "[or(equals(steps('esConnectivityGoalState').esHub, 'vhub'), equals(steps('esConnectivityGoalState').esHub, 'vwan'))]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Azure Firewall", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esAzFwDns", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Azure Firewall as a DNS proxy", + "defaultValue": "No", + "visible": "[equals(steps('esConnectivityGoalState').esAzFw,'Yes')]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will enable Azure Firewall as a DNS Proxy.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esFwAz", + "type": "Microsoft.Common.DropDown", + "label": "Select Availability Zones for the Azure Firewall", + "defaultValue": "None", + "multiselect": true, + "selectAll": true, + "filter": true, + "visible": "[if(equals(steps('esConnectivityGoalState').esHub, 'vhub'), and(equals(steps('esConnectivityGoalState').esAzFw,'Yes'),or(or(or(or(or(or(or(or(equals(steps('esConnectivityGoalState').esNwLocation,'canadacentral'),equals(steps('esConnectivityGoalState').esNwLocation,'centralus')),equals(steps('esConnectivityGoalState').esNwLocation,'eastus'),equals(steps('esConnectivityGoalState').esNwLocation,'eastus2')),equals(steps('esConnectivityGoalState').esNwLocation,'southcentralus'),equals(steps('esConnectivityGoalState').esNwLocation,'westus2')),equals(steps('esConnectivityGoalState').esNwLocation,'francecentral'),equals(steps('esConnectivityGoalState').esNwLocation,'germanywestcentral')),equals(steps('esConnectivityGoalState').esNwLocation,'northeurope'),equals(steps('esConnectivityGoalState').esNwLocation,'westeurope')),equals(steps('esConnectivityGoalState').esNwLocation,'uksouth'),equals(steps('esConnectivityGoalState').esNwLocation,'southafricanorth')),equals(steps('esConnectivityGoalState').esNwLocation,'japaneast'),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia')),equals(steps('esConnectivityGoalState').esNwLocation,'southeastasia'),equals(steps('esConnectivityGoalState').esNwLocation,'australiaeast'))), false)]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Azure Firewall to the selected region and availability zones.", + "constraints": { + "allowedValues": [ + { + "label": "Zone 1", + "value": "1" + }, + { + "label": "Zone 2", + "value": "2" + }, + { + "label": "Zone 3", + "value": "3" + } + ] + } + }, + { + "name": "esAddressFw", + "type": "Microsoft.Common.TextBox", + "label": "Subnet for Azure Firewall", + "toolTip": "Provide address prefix in CIDR notation (e.g 10.100.0.0/24)", + "defaultValue": "10.100.0.0/24", + "visible": "[equals(steps('esConnectivityGoalState').esAzFw,'Yes')]", + "constraints": { + "required": true, + "validationMessage": "The subnet network's address space, specified as one address prefixes in CIDR notation (e.g. 192.168.1.0/24)" + } + } + ] + }, + { + "name": "esIdentityGoalState", + "label": "Identity", + "subLabel": { + "preValidation": "", + "postValidation": "" + }, + "bladeTitle": "lzGs", + "elements": [ + { + "name": "multiPlatformIdentitySub", + "type": "Microsoft.Common.InfoBox", + "visible": "[not(equals(steps('lzSettings').subOrgsOption, 'Single'))]", + "options": { + "text": "To enable identity (AuthN/AuthZ) for workloads in landing zones, you must allocate an identity Subscription that is dedicated to host your Active Directory domain controllers. Please note, this Subscription will be moved to the identity Management Group, and ARM will assign the selected policies. We recommend using a new Subscription with no existing resources.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/identity-and-access-management", + "style": "Info" + } + }, + { + "name": "singlePlatformIdentitySub", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('lzSettings').subOrgsOption, 'Single')]", + "options": { + "text": "To enable identity (AuthN/AuthZ) for workloads in landing zones, it is recommended to assign specific policies to govern the virtual machines used for Active Directory domain controllers.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/identity-and-access-management", + "style": "Info" + } + }, + { + "name": "esIdentity", + "type": "Microsoft.Common.OptionsGroup", + "label": "Assign recommended policies to govern identity and domain controllers", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, Azure Policy will be assigned at the scope to govern your identity resources.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esIdentitySubSection", + "type": "Microsoft.Common.Section", + "label": "Identity subscription", + "elements": [ + { + "type":"Microsoft.Common.SubscriptionSelector", + "name": "esIdentitySub", + "label": "Management subscription" + } + ], + "visible": "[and(equals(steps('esIdentityGoalState').esIdentity,'Yes'), not(equals(steps('lzSettings').subOrgsOption, 'Single')))]" + }, + { + "name": "identitypolicies", + "type": "Microsoft.Common.TextBlock", + "visible": "[equals(steps('esIdentityGoalState').esIdentity,'Yes')]", + "options": { + "text": "Select which of the the recommended policies you will assign to your identity management group.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#policy-driven-governance" + } + } + }, + { + "name": "esIdDenyRdp", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent inbound RDP from internet", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned and prevent inbound RDP from internet", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esIdentityGoalState').esIdentity,'Yes')]" + }, + { + "name": "esIdDenySubnetNsg", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure subnets are associated with NSG", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned to ensure NSGs must be associated with subnets being created", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esIdentityGoalState').esIdentity,'Yes')]" + }, + { + "name": "esIdDenyPublicIp", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent usage of public IP", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned to ensure public IP resources cannot be created", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[and(equals(steps('esIdentityGoalState').esIdentity,'Yes'), not(equals(steps('lzSettings').subOrgsOption, 'Single')))]" + }, + { + "name": "esIdAzBackup", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure Azure VMs (Windows & Linux) are enabled for Azure Backup", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned and enable Azure Backup on all VMs in the landing zones.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esIdentityGoalState').esIdentity,'Yes')]" + } + ] + }, + { + "name": "lzGoalState", + "label": "Landing zone configuration", + "subLabel": { + "preValidation": "", + "postValidation": "" + }, + "bladeTitle": "lzGs", + "elements": [ + { + "name": "infoBox1", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "text": "You can optionally provide subscriptions for your first landing zones for both 'online' and 'corp' and assign recommended policies that will ensure workloads will be secure, monitored, and protected according to best practices.", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#policy-driven-governance", + "style": "Info" + } + }, + { + "name": "corpText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Select the subscriptions you want to move to corp management group.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#subscription-democratization" + } + } + }, + { + "name": "esLzConnectivity", + "type": "Microsoft.Common.OptionsGroup", + "label": "Connect corp landing zones to the connectivity hub (optional)?", + "defaultValue": "No", + "toolTip": "If 'Yes' is selected for corp landing zones, ARM will connect the subscriptions to the hub virtual network via VNet peering.", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": false //"[not(equals(steps('esConnectivityGoalState').esHub,'No'))]" + }, + { + "name": "lzCorpSubsApi", + "type": "Microsoft.Solutions.ArmApiControl", + "request": { + "method": "GET", + "path": "subscriptions?api-version=2020-01-01" + } + }, + { + "name": "esCorpLzSub", + "type": "Microsoft.Common.DropDown", + "label": "Corp landing zone subscriptions (optional)", + "toolTip": "", + "multiselect": true, + "selectAll": true, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": "[or(equals(steps('esConnectivityGoalState').esHub,'No'),equals(steps('lzGoalState').esLzConnectivity,'No'))]", + "constraints": { + "allowedValues": "[map(steps('lzGoalState').lzCorpSubsApi.value,(sub) => parse(concat('{\"label\":\"',sub.displayName,'\",\"description\":\"',sub.subscriptionId,'\",\"value\":\"',toLower(sub.subscriptionId),'\"}')))]", + "required": false + } + }, + { + "name": "lzConnectedSubs", + "type": "Microsoft.Common.EditableGrid", + "ariaLabel": "Add existing subscriptions into the management group landing zone and provide address space for virtual network peering", + "label": "Corp connected landing zone subscriptions (optional)", + "visible": false, //"[equals(steps('lzGoalState').esLzConnectivity,'Yes')]", + "constraints": { + "width": "Full", + "rows": { + "count": { + "min": 1, + "max": 10 + } + }, + "columns": [ + { + "id": "subs", + "header": "Subscription", + "width": "1fr", + "element": { + "name": "esLzConnectedSub", + "type": "Microsoft.Common.DropDown", + "label": "Landing zone subscription", + "toolTip": "", + "multiselect": false, + "selectAll": false, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": false, + "constraints": { + "allowedValues": "[map(steps('lzGoalState').lzSubsApi.value,(sub) => parse(concat('{\"label\":\"',sub.displayName,'\",\"description\":\"',sub.subscriptionId,'\",\"value\":\"',toLower(sub.subscriptionId),'\"}')))]", + "required": false + } + } + }, + { + "id": "addresses", + "header": "Virtual Network Address space", + "width": "1fr", + "element": { + "type": "Microsoft.Common.TextBox", + "placeholder": "Ensure there are no overlapping IP addresses!", + "constraints": { + "required": true, + "validations": [ + { + "message": "Only alphanumeric characters are allowed, and the value must be 1-30 characters long." + } + ] + } + } + } + ] + } + }, + { + "name": "lzSubsApi", + "type": "Microsoft.Solutions.ArmApiControl", + "request": { + "method": "GET", + "path": "subscriptions?api-version=2020-01-01" + } + }, + { + "name": "onlineText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Select the subscriptions you want to move to online management group.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#subscription-democratization" + } + } + }, + { + "name": "lzOnlineSubsApi", + "type": "Microsoft.Solutions.ArmApiControl", + "request": { + "method": "GET", + "path": "subscriptions?api-version=2020-01-01" + } + }, + { + "name": "esOnlineLzSub", + "type": "Microsoft.Common.DropDown", + "label": "Online landing zone subscriptions (optional)", + "toolTip": "", + "multiselect": true, + "selectAll": true, + "filter": true, + "filterPlaceholder": "Filter items ...", + "multiLine": true, + "visible": true, + "constraints": { + "allowedValues": "[map(steps('lzGoalState').lzOnlineSubsApi.value,(sub) => parse(concat('{\"label\":\"',sub.displayName,'\",\"description\":\"',sub.subscriptionId,'\",\"value\":\"',toLower(sub.subscriptionId),'\"}')))]", + "required": false + } + }, + { + "name": "azMonText", + "type": "Microsoft.Common.TextBlock", + "visible": true, + "options": { + "text": "Select which of the the recommended policies you will assign to your landing zones.", + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/design-principles#policy-driven-governance" + } + } + }, + { + "name": "esLzDdoS", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable DDoS Protection Standard", + "defaultValue": "Yes (recommended)", + "visible": "[and(not(equals(steps('esConnectivityGoalState').esHub,'No')),equals(steps('esConnectivityGoalState').esDdoS,'Yes'))]", + "toolTip": "If 'Yes' is selected when also adding a connectivity subscription earlier, DDoS Protection Standard will be enabled.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esLzPrivateLink", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent usage of Public Endpoints for PaaS services in the corp connected landing zones", + "defaultValue": "Yes (recommended)", + "visible": true, + "toolTip": "If 'Yes' is selected then Azure Policy will prevent PaaS resources to use public endpoints.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esEncryptionInTransit", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure encryption in transit is enabled for PaaS services", + "defaultValue": "Yes (recommended)", + "visible": true, + "toolTip": "If 'Yes' is selected then Azure Policy will ensure PaaS resources uses TLS and SSL.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esVmMonitoring", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure Azure VMs (Windows & Linux) are being monitored", + "defaultValue": "Yes (recommended)", + "toolTip": "Enabling this Azure Policy will ensure that every virtual machine (Windows, Linux, including Azure Arc enabled servers) are onboarded to Azure Monitor and Security", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').esLogAnalytics,'Yes')]" + }, + { + "name": "esVmssMonitoring", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure Azure VMSS (Windows & Linux) are being monitored", + "defaultValue": "Yes (recommended)", + "toolTip": "Enabling this Azure Policy will ensure that every virtual machine scale set (Windows & Linux) are onboarded to Azure Monitor and Security", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').esLogAnalytics,'Yes')]" + }, + { + "name": "esAksPolicy", + "type": "Microsoft.Common.OptionsGroup", + "label": "Enable Kubernetes (AKS) for Azure Policy", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continous compliance", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esAksPriv", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent privileged containers in Kubernetes clusters", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, policy will be assigned to prevent privileged containers in AKS", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esAksNoPriv", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent privileged escalation in Kubernetes clusters", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, policy will be assigned to prevent privileged escalations in AKS", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esAksIngress", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure HTTPS ingress is enforced in Kubernetes clusters", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, HTTPS ingress will be required in AKS", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esAzBackup", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure Azure VMs (Windows & Linux) are enabled for Azure Backup", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned and enable Azure Backup on all VMs in the landing zones.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esDenyRdp", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent inbound RDP from internet", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned and prevent inbound RDP from internet", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esNsg", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure subnets are associated with NSG", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned to ensure NSGs must be associated with subnets being created", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esIpForwarding", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent IP forwarding", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned and prevent IP forwarding", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esSqlEncryption", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure Azure SQL is enabled with transparent data encryption", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continous compliance", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esSqlAudit", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure auditing is enabled on Azure SQL", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned to ensure auditing is enabled on Azure SQLs", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esHttpsStorage", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure secure connections (HTTPS) to storage accounts", + "defaultValue": "Yes (recommended)", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned to ensure storage can only be accessed using HTTPS", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + } + ] + } + ] + }, + "outputs": { + "parameters": { + "subnetMaskForGw": "[steps('esConnectivityGoalState').esAddressVpnOrEr]", + "subnetMaskForAzFw": "[steps('esConnectivityGoalState').esAddressFw]", + "enableErGw": "[steps('esConnectivityGoalState').esErGw]", + "enableVpnGw": "[steps('esConnectivityGoalState').esVpnGw]", + "enableHub": "[steps('esConnectivityGoalState').esHub]", + "enableDdoS": "[steps('esConnectivityGoalState').esDdoS]", + "connectivitySubscriptionId": "[if(not(equals(steps('esConnectivityGoalState').esNwSubSection.esNwSub.subscriptionId,steps('esGoalState').esMgmtSubSection.esMgmtSub.subscriptionId)),steps('esConnectivityGoalState').esNwSubSection.esNwSub.subscriptionId,'')]", + "enableAzFw": "[steps('esConnectivityGoalState').esAzFw]", + "enableAzFwDnsProxy": "[steps('esConnectivityGoalState').esAzFwDns]", + "addressPrefix": "[steps('esConnectivityGoalState').esAddressHub]", + "location": "[steps('esConnectivityGoalState').esNwLocation]", + "managementSubscriptionId": "[steps('esGoalState').esMgmtSubSection.esMgmtSub.subscriptionId]", + "identitySubscriptionId": "[if(or(not(equals(steps('esIdentityGoalState').esIdentitySubSection.esIdentitySub.subscriptionId,steps('esGoalState').esMgmtSubSection.esMgmtSub.subscriptionId)),not(equals(steps('esIdentityGoalState').esIdentitySubSection.esIdentitySub.subscriptionId,steps('esConnectivityGoalState').esNwSubSection.esNwSub.subscriptionId))),steps('esIdentityGoalState').esIdentitySubSection.esIdentitySub.subscriptionId,'')]", + "onlineLzSubscriptionId": "[if(or(not(contains(steps('lzGoalState').esOnlineLzSub,steps('esGoalState').esMgmtSubSection.esMgmtSub.subscriptionId)),not(contains(steps('lzGoalState').esOnlineLzSub,steps('esConnectivityGoalState').esNwSubSection.esNwSub.subscriptionId))),steps('lzGoalState').esOnlineLzSub,'')]", + "corpLzSubscriptionId": "[if(or(not(contains(steps('lzGoalState').esCorpLzSub,steps('esGoalState').esMgmtSubSection.esMgmtSub.subscriptionId)),not(contains(steps('lzGoalState').esCorpLzSub,steps('esConnectivityGoalState').esNwSubSection.esNwSub.subscriptionId))),steps('lzGoalState').esCorpLzSub,'')]", + "enableLogAnalytics": "[steps('esGoalState').esLogAnalytics]", + "denyRdpForIdentity": "[steps('esIdentityGoalState').esIdDenyRdp]", + "denySubnetWithoutNsgForIdentity": "[steps('esIdentityGoalState').esIdDenySubnetNsg]", + "denyPipForIdentity": "[steps('esIdentityGoalState').esIdDenyPublicIp]", + "enableVmBackupForIdentity": "[steps('esIdentityGoalState').esIdAzBackup]", + "enableAsc": "[steps('esGoalState').esAsc]", + "emailContactAsc": "[steps('esGoalState').esAscEmail]", + "enableAscForServers": "[steps('esGoalState').esAscVms]", + "enableAscForAppServices": "[steps('esGoalState').esAscApps]", + "enableAscForStorage": "[steps('esGoalState').esAscStorage]", + "enableAscForSql": "[steps('esGoalState').esAscSql]", + "enableAscForSqlOnVm": "[steps('esGoalState').esAscSqlOnVm]", + "enableAscForKeyVault": "[steps('esGoalState').esAscKeyVault]", + "enableAscForArm": "[steps('esGoalState').esAscArm]", + "enableAscForDns": "[steps('esGoalState').esAscDns]", + "enableAscForKubernetes": "[steps('esGoalState').esAscKubernetes]", + "enableAscForRegistries": "[steps('esGoalState').esAscRegistries]", + "enableSecuritySolution": "[steps('esGoalState').esSecuritySolution]", + "enableAgentHealth": "[steps('esGoalState').esAgentSolution]", + "enableChangeTracking": "[steps('esGoalState').esChangeTracking]", + "enableUpdateMgmt": "[steps('esGoalState').esUpdateMgmt]", + "enableActivityLog": "[steps('esGoalState').esActivityLog]", + "enableVmInsights": "[steps('esGoalState').esVmInsights]", + "enableServiceMap": "[steps('esGoalState').esServiceMap]", + "enableSqlAssessment": "[steps('esGoalState').esSqlAssessment]", + "enterpriseScaleCompanyPrefix": "[steps('lzSettings').esMgmtGroup]", + "enableSqlAudit": "[steps('lzGoalState').esSqlAudit]", + "enableSqlEncryption": "[steps('lzGoalState').esSqlEncryption]", + "enableVmBackup": "[steps('lzGoalState').esAzBackup]", + "enableLzDdoS": "[steps('lzGoalState').esLzDdoS]", + "denyPublicEndpoints": "[steps('lzGoalState').esLzPrivateLink]", + "enableEncryptionInTransit": "[steps('lzGoalState').esEncryptionInTransit]", + "enableAksPolicy": "[steps('lzGoalState').esAksPolicy]", + "denyAksPrivileged": "[steps('lzGoalState').esAksPriv]", + "denyAksPrivilegedEscalation": "[steps('lzGoalState').esAksNoPriv]", + "denyHttpIngressForAks": "[steps('lzGoalState').esAksIngress]", + "denyRdp": "[steps('lzGoalState').esDenyRdp]", + "enableStorageHttps": "[steps('lzGoalState').esHttpsStorage]", + "denyIpForwarding": "[steps('lzGoalState').esIpForwarding]", + "denySubnetWithoutNsg": "[steps('lzGoalState').esNsg]", + "retentionInDays": "[string(steps('esGoalState').esLogRetention)]", + "enableVmMonitoring": "[steps('lzGoalState').esVmMonitoring]", + "enableVmssMonitoring": "[steps('lzGoalState').esVmssMonitoring]", + "vpnOrErZones": "[steps('esConnectivityGoalState').esGwRegionalOrAz]", + "firewallZones": "[steps('esConnectivityGoalState').esFwAz]", + "corpConnectedLzSubscriptionId": "[if(or(not(contains(steps('lzGoalState').esCorpLzSub,steps('esGoalState').esMgmtSubSection.esMgmtSub.subscriptionId)),not(contains(steps('lzGoalState').esCorpLzSub,steps('esConnectivityGoalState').esNwSubSection.esNwSub.subscriptionId))),steps('lzGoalState').lzConnectedSubs,'')]", + "paToken": "[steps('lzDevOps').esPaToken]", + "principalId": "[steps('lzDevOps').spnSection.esServicePrincipal.objectId]", + "principalSecret": "[steps('lzDevOps').spnSection.esServicePrincipal.password]", + "gitHubUserNameOrOrg": "[steps('lzDevOps').esGit]", + "appId": "[steps('lzDevOps').spnSection.esServicePrincipal.appId]", + "enableAzOps": "[steps('lzDevOps').cicdOption]", + "subscriptionId": "[steps('esGoalState').esMgmtSubSection.esMgmtSub.subscriptionId]", + "repositoryName": "[steps('lzDevOps').esGitRepoName]", + "gwRegionalOrAz": "[steps('esConnectivityGoalState').esGwRegionalOrAz]", + "gwAzSku": "[steps('esConnectivityGoalState').esGwAzSku]", + "gwRegionalSku": "[if(empty(steps('esConnectivityGoalState').esGwRegionalSku), steps('esConnectivityGoalState').esGwNoAzSku, steps('esConnectivityGoalState').esGwRegionalSku)]", + "erRegionalOrAz": "[steps('esConnectivityGoalState').esErRegionalOrAz]", + "erAzSku": "[steps('esConnectivityGoalState').esErAzSku]", + "erRegionalSku": "[if(empty(steps('esConnectivityGoalState').esErRegionalSku), steps('esConnectivityGoalState').esErNoAzSku, steps('esConnectivityGoalState').esErRegionalSku)]", + "singlePlatformSubscriptionId": "[steps('lzSettings').esSingleSubSection.esSingleSub.subscriptionId]" + }, + "kind": "Tenant", + "location": "[steps('basics').resourceScope.location.name]" + } + } +} \ No newline at end of file diff --git a/eslzArm/resourceGroupTemplates/azOpsArm.json b/eslzArm/resourceGroupTemplates/azOpsArm.json new file mode 100644 index 0000000000..d57ae31e97 --- /dev/null +++ b/eslzArm/resourceGroupTemplates/azOpsArm.json @@ -0,0 +1,150 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "paToken": { + "type": "securestring", + "metadata": { + "description": "Provide the PA Token to authorize Git and create new repository for the organization/user." + } + }, + "principalSecret": { + "type": "securestring", + "metadata": { + "description": "Provide the principalId which is needed to create GitHub secret" + } + }, + "gitHubUserNameOrOrg": { + "type": "string", + "metadata": { + "description": "Provide username or org name for GitHub." + } + }, + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide the prefix for your ESLZ setup." + } + }, + "appId": { + "type": "string" + }, + "repositoryName": { + "type": "string" + } + }, + "variables": { + "keyVaultName": "[take(concat(resourceGroup().name, uniqueString(subscription().subscriptionId)), 24)]", + "keyVaultRbacName": "[concat(variables('keyVaultName'), '/Microsoft.Authorization/', guid(variables('keyVaultName')))]", + "patSecretName": "PATSecret", + "spnSecretName": "SPNSecret", + "userManagedIdentityName": "[concat(resourceGroup().name, '-umi')]", + "keyVaultAdminRbac": "/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483" + }, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2018-11-30", + "name": "[variables('userManagedIdentityName')]", + "location": "[resourceGroup().location]" + }, + { + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2019-09-01", + "name": "[variables('keyVaultName')]", + "location": "[resourceGroup().location]", + "dependsOn": [ + "[variables('userManagedIdentityName')]" + ], + "properties": { + "enabledForTemplateDeployment": true, + "enableRbacAuthorization": true, + "enablePurgeProtection": true, + "enableSoftDelete": true, + "tenantId": "[subscription().tenantId]", + "sku": { + "family": "A", + "name": "standard" + } + } + }, + { + "type": "Microsoft.KeyVault/vaults/secrets", + "apiVersion": "2019-09-01", + "name": "[concat(variables('keyVaultName'), '/', variables('patSecretName'))]", + "location": "[resourceGroup().location]", + "dependsOn": [ + "[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]" + ], + "properties": { + "value": "[parameters('paToken')]" + } + }, + { + "type": "Microsoft.KeyVault/vaults/secrets", + "apiVersion": "2019-09-01", + "name": "[concat(variables('keyVaultName'), '/', variables('spnSecretName'))]", + "location": "[resourceGroup().location]", + "dependsOn": [ + "[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]" + ], + "properties": { + "value": "[parameters('principalSecret')]" + } + }, + { + "type": "Microsoft.KeyVault/vaults/providers/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[variables('keyVaultRbacName')]", + "dependsOn": [ + "[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]", + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('userManagedIdentityName'))]" + ], + "properties": { + "principalType": "ServicePrincipal", + "principalId": "[reference(variables('userManagedIdentityName'), '2018-11-30').principalId]", + "roleDefinitionId": "[variables('keyVaultAdminRbac')]" + } + }, + { + "type": "Microsoft.Resources/deploymentScripts", + "apiVersion": "2020-10-01", + "name": "[concat(resourceGroup().name, '-GitHub')]", + "location": "[resourceGroup().location]", + "kind": "AzurePowerShell", + "identity": { + "type": "userAssigned", + "userAssignedIdentities": { + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('userManagedIdentityName'))]": {} + } + }, + "dependsOn": [ + "[resourceId('Microsoft.KeyVault/vaults/providers/roleAssignments', variables('keyVaultName'), 'Microsoft.Authorization', guid(variables('keyVaultName')))]", + "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), variables('patSecretName'))]", + "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), variables('spnSecretName'))]" + ], + "properties": { + "primaryScriptUri": "[base64ToString('aHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL2tybmVzZS9ucy9tYXN0ZXIvdW1pQXpPcHNTZXR1cC5wczE=')]", + "arguments": "[concat('-KeyVault', ' ', variables('keyVaultName'), ' ', + '-NewRepositoryName', ' ', parameters('repositoryName'), ' ', + '-GitHubUserNameOrOrg', ' ', parameters('gitHubUserNameOrOrg'), ' ', + '-SPNSecretName', ' ', variables('spnSecretName'), ' ', + '-SpnAppId', ' ', parameters('appId'), ' ', + '-PATSecretName', ' ', variables('patSecretName'), ' ', + '-AzureTenantId', ' ', subscription().tenantId, ' ', + '-EnterpriseScalePrefix', ' ', parameters('topLevelManagementGroupPrefix'), ' ', + '-AzureSubscriptionId', ' ', subscription().subscriptionId)]", + "azPowerShellVersion": "5.5", + "timeout": "PT30M", + "cleanupPreference": "Always", + "retentionInterval": "P1D" + } + } + ], + "outputs": { + "umi": { + "type": "string", + "value": "[reference(variables('userManagedIdentityName'), '2018-11-30').principalId]" + } + } +} \ No newline at end of file diff --git a/eslzArm/resourceGroupTemplates/azureFirewall.json b/eslzArm/resourceGroupTemplates/azureFirewall.json new file mode 100644 index 0000000000..e69de29bb2 diff --git a/eslzArm/resourceGroupTemplates/ddosProtection.json b/eslzArm/resourceGroupTemplates/ddosProtection.json new file mode 100644 index 0000000000..e23adb82f0 --- /dev/null +++ b/eslzArm/resourceGroupTemplates/ddosProtection.json @@ -0,0 +1,28 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "ddosName": { + "type": "string", + "metadata": { + "description": "Provide a name for the DDoS protection plan" + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Provide a location for the DDoS protection plan" + } + } + }, + "resources": [ + { + "type": "Microsoft.Network/ddosProtectionPlans", + "apiVersion": "2019-02-01", + "name": "[parameters('ddosName')]", + "location": "[parameters('location')]", + "properties": {} + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/resourceGroupTemplates/expressRouteCircuit.json b/eslzArm/resourceGroupTemplates/expressRouteCircuit.json new file mode 100644 index 0000000000..e69de29bb2 diff --git a/eslzArm/resourceGroupTemplates/privateDnsZones.json b/eslzArm/resourceGroupTemplates/privateDnsZones.json new file mode 100644 index 0000000000..4f9b10acc7 --- /dev/null +++ b/eslzArm/resourceGroupTemplates/privateDnsZones.json @@ -0,0 +1,45 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateDnsZoneName": { + "type": "string", + "metadata": { + "description": "Provide the dns zone name." + } + }, + "connectivityHubResourceId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2020-06-01", + "name": "[parameters('privateDnsZoneName')]", + "location": "global", + "properties": { + "maxNumberOfRecordSets": 25000, + "maxNumberOfVirtualNetworkLinks": 1000, + "maxNumberOfVirtualNetworkLinksWithRegistration": 100 + }, + "resources": [ + { + "type": "virtualNetworkLinks", + "apiVersion": "2020-06-01", + "name": "[concat('linkingOf', parameters('privateDnsZoneName'))]", + "location": "global", + "dependsOn": [ + "[resourceId('Microsoft.Network/privateDnsZones', parameters('privateDnsZoneName'))]" + ], + "properties": { + "registrationEnabled": false, + "virtualNetwork": { + "id": "[parameters('connectivityHubResourceId')]" + } + } + } + ] + } + ] +} \ No newline at end of file diff --git a/eslzArm/subscriptionTemplates/ascConfiguration.json b/eslzArm/subscriptionTemplates/ascConfiguration.json new file mode 100644 index 0000000000..2b5e9183ea --- /dev/null +++ b/eslzArm/subscriptionTemplates/ascConfiguration.json @@ -0,0 +1,506 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "emailSecurityContact": { + "type": "string", + "metadata": { + "displayName": "Security contacts email address", + "description": "Provide email address for Azure Security Center contact details" + } + }, + "pricingTierVMs": { + "type": "string", + "metadata": { + "displayName": "Azure Defender pricing tier for Virtual Machines", + "description": "Azure Defender pricing tier for Virtual Machines" + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "pricingTierSqlServers": { + "type": "string", + "metadata": { + "displayName": "Azure Defender pricing tier for SQL Servers", + "description": "Azure Defender pricing tier for SQL Servers" + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "pricingTierAppServices": { + "type": "string", + "metadata": { + "displayName": "Azure Defender pricing tier for App Services", + "description": "Azure Defender pricing tier for App Services" + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "pricingTierStorageAccounts": { + "type": "string", + "metadata": { + "displayName": "Azure Defender pricing tier for Storage Accounts", + "description": "Azure Defender pricing tier for Storage Accounts" + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "pricingTierSqlServerVirtualMachines": { + "type": "string", + "metadata": { + "displayName": "Azure Defender pricing tier for SQL Server Virtual Machines", + "description": "Azure Defender pricing tier for SQL Server Virtual Machines" + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "pricingTierKubernetesService": { + "type": "string", + "metadata": { + "displayName": "Azure Defender pricing tier for AKS", + "description": "Azure Defender pricing tier for AKS" + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "pricingTierContainerRegistry": { + "type": "string", + "metadata": { + "displayName": "Azure Defender pricing tier for ACR", + "description": "Azure Defender pricing tier for ACR" + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "pricingTierKeyVaults": { + "type": "string", + "metadata": { + "displayName": "Azure Defender pricing tier for AKV", + "description": "Azure Defender pricing tier for AKV" + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "pricingTierDns": { + "type": "string", + "metadata": { + "displayName": "Azure Defender pricing tier for DNS", + "description": "Azure Defender pricing tier for DNS" + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "pricingTierArm": { + "type": "string", + "metadata": { + "displayName": "Azure Defender pricing tier for Azure Resource Manager", + "description": "Azure Defender pricing tier for Azure Resource Manager" + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "topLevelManagementGroupPrefix": { + "type": "string", + "maxLength": 10, + "metadata": { + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." + } + }, + "workspaceResourceId": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "The Log Analytics workspace of where the data should be exported to.", + "strongType": "Microsoft.OperationalInsights/workspaces", + "assignPermissions": true + } + }, + "guidValue": { + "type": "string", + "defaultValue": "[newGuid()]" + } + }, + "variables": { + "resourceGroupName": "[concat(parameters('topLevelManagementGroupPrefix'), '-asc-export')]", + "resourceGroupLocation": "[deployment().location]", + "exportedDataTypes": "[createArray('Security recommendations', 'Security alerts', 'Overall secure score', 'Secure score controls', 'Regulatory compliance', 'Overall secure score - snapshot', 'Secure score controls - snapshot', 'Regulatory compliance - snapshot')]", + "isSecurityFindingsEnabled": true, + "recommendationNames": "[createArray()]", + "recommendationSeverities": "[createArray('High', 'Medium', 'Low')]", + "alertSeverities": "[createArray('High', 'Medium', 'Low')]", + "secureScoreControlsNames": "[createArray()]", + "regulatoryComplianceStandardsNames": "[createArray()]", + "scopeDescription": "scope for subscription {0}", + "subAssessmentRuleExpectedValue": "/assessments/{0}/", + "recommendationNamesLength": "[length(variables('recommendationNames'))]", + "secureScoreControlsNamesLength": "[length(variables('secureScoreControlsNames'))]", + "secureScoreControlsLengthIfEmpty": "[if(equals(variables('secureScoreControlsNamesLength'), 0), 1, variables('secureScoreControlsNamesLength'))]", + "regulatoryComplianceStandardsNamesLength": "[length(variables('regulatoryComplianceStandardsNames'))]", + "regulatoryComplianceStandardsNamesLengthIfEmpty": "[if(equals(variables('regulatoryComplianceStandardsNamesLength'), 0), 1, variables('regulatoryComplianceStandardsNamesLength'))]", + "recommendationSeveritiesLength": "[length(variables('recommendationSeverities'))]", + "alertSeveritiesLength": "[length(variables('alertSeverities'))]", + "recommendationNamesLengthIfEmpty": "[if(equals(variables('recommendationNamesLength'), 0), 1, variables('recommendationNamesLength'))]", + "recommendationSeveritiesLengthIfEmpty": "[if(equals(variables('recommendationSeveritiesLength'), 0), 1, variables('recommendationSeveritiesLength'))]", + "alertSeveritiesLengthIfEmpty": "[if(equals(variables('alertSeveritiesLength'), 0), 1, variables('alertSeveritiesLength'))]", + "totalRuleCombinationsForOneRecommendationName": "[variables('recommendationSeveritiesLengthIfEmpty')]", + "totalRuleCombinationsForOneRecommendationSeverity": 1, + "exportedDataTypesLength": "[length(variables('exportedDataTypes'))]", + "exportedDataTypesLengthIfEmpty": "[if(equals(variables('exportedDataTypesLength'), 0), 1, variables('exportedDataTypesLength'))]", + "dataTypeMap": { + "Security recommendations": "Assessments", + "Security alerts": "Alerts", + "Overall secure score": "SecureScores", + "Secure score controls": "SecureScoreControls", + "Regulatory compliance": "RegulatoryComplianceAssessment", + "Overall secure score - snapshot": "SecureScoresSnapshot", + "Secure score controls - snapshot": "SecureScoreControlsSnapshot", + "Regulatory compliance - snapshot": "RegulatoryComplianceAssessmentSnapshot" + }, + "alertSeverityMap": { + "High": "high", + "Medium": "medium", + "Low": "low" + }, + "ruleSetsForAssessmentsObj": { + "copy": [ + { + "name": "ruleSetsForAssessmentsArr", + "count": "[mul(variables('recommendationNamesLengthIfEmpty'),variables('recommendationSeveritiesLengthIfEmpty'))]", + "input": { + "rules": [ + { + "propertyJPath": "[if(equals(variables('recommendationNamesLength'),0),'type','name')]", + "propertyType": "string", + "expectedValue": "[if(equals(variables('recommendationNamesLength'),0),'Microsoft.Security/assessments',variables('recommendationNames')[mod(div(copyIndex('ruleSetsForAssessmentsArr'),variables('totalRuleCombinationsForOneRecommendationName')),variables('recommendationNamesLength'))])]", + "operator": "Contains" + }, + { + "propertyJPath": "properties.metadata.severity", + "propertyType": "string", + "expectedValue": "[variables('recommendationSeverities')[mod(div(copyIndex('ruleSetsForAssessmentsArr'),variables('totalRuleCombinationsForOneRecommendationSeverity')),variables('recommendationSeveritiesLength'))]]", + "operator": "Equals" + } + ] + } + } + ] + }, + "customRuleSetsForSubAssessmentsObj": { + "copy": [ + { + "name": "ruleSetsForSubAssessmentsArr", + "count": "[variables('recommendationNamesLengthIfEmpty')]", + "input": { + "rules": [ + { + "propertyJPath": "id", + "propertyType": "string", + "expectedValue": "[if(equals(variables('recommendationNamesLength'), 0), json('null'), replace(variables('subAssessmentRuleExpectedValue'),'{0}', variables('recommendationNames')[copyIndex('ruleSetsForSubAssessmentsArr')]))]", + "operator": "Contains" + } + ] + } + } + ] + }, + "ruleSetsForAlertsObj": { + "copy": [ + { + "name": "ruleSetsForAlertsArr", + "count": "[variables('alertSeveritiesLengthIfEmpty')]", + "input": { + "rules": [ + { + "propertyJPath": "Severity", + "propertyType": "string", + "expectedValue": "[variables('alertSeverityMap')[variables('alertSeverities')[mod(copyIndex('ruleSetsForAlertsArr'),variables('alertSeveritiesLengthIfEmpty'))]]]", + "operator": "Equals" + } + ] + } + } + ] + }, + "customRuleSetsForSecureScoreControlsObj": { + "copy": [ + { + "name": "ruleSetsForSecureScoreControlsArr", + "count": "[variables('secureScoreControlsLengthIfEmpty')]", + "input": { + "rules": [ + { + "propertyJPath": "name", + "propertyType": "string", + "expectedValue": "[if(equals(variables('secureScoreControlsNamesLength'), 0), json('null'), variables('secureScoreControlsNames')[copyIndex('ruleSetsForSecureScoreControlsArr')])]", + "operator": "Equals" + } + ] + } + } + ] + }, + "customRuleSetsForRegulatoryComplianceObj": { + "copy": [ + { + "name": "ruleSetsForRegulatoryCompliancArr", + "count": "[variables('regulatoryComplianceStandardsNamesLengthIfEmpty')]", + "input": { + "rules": [ + { + "propertyJPath": "id", + "propertyType": "string", + "expectedValue": "[if(equals(variables('regulatoryComplianceStandardsNamesLength'), 0), json('null'), variables('regulatoryComplianceStandardsNames')[copyIndex('ruleSetsForRegulatoryCompliancArr')])]", + "operator": "Contains" + } + ] + } + } + ] + }, + "ruleSetsForSecureScoreControlsObj": "[if(equals(variables('secureScoreControlsNamesLength'), 0), json('null'), variables('customRuleSetsForSecureScoreControlsObj').ruleSetsForSecureScoreControlsArr)]", + "ruleSetsForSecureRegulatoryComplianceObj": "[if(equals(variables('regulatoryComplianceStandardsNamesLength'), 0), json('null'), variables('customRuleSetsForRegulatoryComplianceObj').ruleSetsForRegulatoryCompliancArr)]", + "ruleSetsForSubAssessmentsObj": "[if(equals(variables('recommendationNamesLength'), 0), json('null'), variables('customRuleSetsForSubAssessmentsObj').ruleSetsForSubAssessmentsArr)]", + "subAssessmentSource": [ + { + "eventSource": "SubAssessments", + "ruleSets": "[variables('ruleSetsForSubAssessmentsObj')]" + } + ], + "ruleSetsMap": { + "Security recommendations": "[variables('ruleSetsForAssessmentsObj').ruleSetsForAssessmentsArr]", + "Security alerts": "[variables('ruleSetsForAlertsObj').ruleSetsForAlertsArr]", + "Overall secure score": null, + "Secure score controls": "[variables('ruleSetsForSecureScoreControlsObj')]", + "Regulatory compliance": "[variables('ruleSetsForSecureRegulatoryComplianceObj')]", + "Overall secure score - snapshot": null, + "Secure score controls - snapshot": "[variables('ruleSetsForSecureScoreControlsObj')]", + "Regulatory compliance - snapshot": "[variables('ruleSetsForSecureRegulatoryComplianceObj')]" + }, + "sourcesWithoutSubAssessments": { + "copy": [ + { + "name": "sources", + "count": "[variables('exportedDataTypesLengthIfEmpty')]", + "input": { + "eventSource": "[variables('dataTypeMap')[variables('exportedDataTypes')[copyIndex('sources')]]]", + "ruleSets": "[variables('ruleSetsMap')[variables('exportedDataTypes')[copyIndex('sources')]]]" + } + } + ] + }, + "sourcesWithSubAssessments": "[concat(variables('subAssessmentSource'),variables('sourcesWithoutSubAssessments').sources)]", + "sources": "[if(equals(variables('isSecurityFindingsEnabled'),bool('true')),variables('sourcesWithSubAssessments'),variables('sourcesWithoutSubAssessments').sources)]" + }, + "resources": [ + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "VirtualMachines", + "properties": { + "pricingTier": "[parameters('pricingTierVMs')]" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "SqlServers", + "dependsOn": [ + "[concat('Microsoft.Security/pricings/VirtualMachines')]" + ], + "properties": { + "pricingTier": "[parameters('pricingTierSqlServers')]" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "AppServices", + "dependsOn": [ + "[concat('Microsoft.Security/pricings/SqlServers')]" + ], + "properties": { + "pricingTier": "[parameters('pricingTierAppServices')]" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "StorageAccounts", + "dependsOn": [ + "[concat('Microsoft.Security/pricings/AppServices')]" + ], + "properties": { + "pricingTier": "[parameters('pricingTierStorageAccounts')]" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "SqlServerVirtualMachines", + "dependsOn": [ + "[concat('Microsoft.Security/pricings/StorageAccounts')]" + ], + "properties": { + "pricingTier": "[parameters('pricingTierSqlServerVirtualMachines')]" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "KubernetesService", + "dependsOn": [ + "[concat('Microsoft.Security/pricings/SqlServerVirtualMachines')]" + ], + "properties": { + "pricingTier": "[parameters('pricingTierKubernetesService')]" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "ContainerRegistry", + "dependsOn": [ + "[concat('Microsoft.Security/pricings/KubernetesService')]" + ], + "properties": { + "pricingTier": "[parameters('pricingTierContainerRegistry')]" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "KeyVaults", + "dependsOn": [ + "[concat('Microsoft.Security/pricings/ContainerRegistry')]" + ], + "properties": { + "pricingTier": "[parameters('pricingTierKeyVaults')]" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "Dns", + "dependsOn": [ + "[concat('Microsoft.Security/pricings/KeyVaults')]" + ], + "properties": { + "pricingTier": "[parameters('pricingTierDns')]" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "Arm", + "dependsOn": [ + "[concat('Microsoft.Security/pricings/Dns')]" + ], + "properties": { + "pricingTier": "[parameters('pricingTierArm')]" + } + }, + { + "condition": "[not(empty(parameters('emailSecurityContact')))]", + "type": "Microsoft.Security/securityContacts", + "name": "default", + "apiVersion": "2020-01-01-preview", + "properties": { + "emails": "[parameters('emailSecurityContact')]", + "notificationsByRole": { + "state": "On", + "roles": [ + "Owner" + ] + }, + "alertNotifications": { + "state": "On", + "minimalSeverity": "High" + } + } + }, + { + "name": "[variables('resourceGroupName')]", + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2019-10-01", + "location": "[variables('resourceGroupLocation')]", + "tags": {}, + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[concat('nestedAutomationDeployment', '_', parameters('guidValue'))]", + "resourceGroup": "[variables('resourceGroupName')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups/', variables('resourceGroupName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "tags": {}, + "apiVersion": "2019-01-01-preview", + "location": "[variables('resourceGroupLocation')]", + "name": "ExportToWorkspace", + "type": "Microsoft.Security/automations", + "dependsOn": [], + "properties": { + "description": "Export Azure Security Center data to Log Analytics workspace via policy", + "isEnabled": true, + "scopes": [ + { + "description": "[replace(variables('scopeDescription'),'{0}', subscription().subscriptionId)]", + "scopePath": "[subscription().id]" + } + ], + "sources": "[variables('sources')]", + "actions": [ + { + "actionType": "Workspace", + "workspaceResourceId": "[parameters('workspaceResourceId')]" + } + ] + } + } + ] + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/subscriptionTemplates/azActivityDiagnostics.json b/eslzArm/subscriptionTemplates/azActivityDiagnostics.json new file mode 100644 index 0000000000..d8fd54afc6 --- /dev/null +++ b/eslzArm/subscriptionTemplates/azActivityDiagnostics.json @@ -0,0 +1,64 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "logAnalytics": { + "type": "string" + }, + "logsEnabled": { + "type": "string", + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + } + }, + "variables": {}, + "resources": [ + { + "name": "subscriptionToLa", + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "location": "Global", + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "logs": [ + { + "category": "Administrative", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Security", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ServiceHealth", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Alert", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Recommendation", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Policy", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "Autoscale", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ResourceHealth", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + } \ No newline at end of file diff --git a/eslzArm/subscriptionTemplates/corp-vnet-peering.json b/eslzArm/subscriptionTemplates/corp-vnet-peering.json new file mode 100644 index 0000000000..03447923cd --- /dev/null +++ b/eslzArm/subscriptionTemplates/corp-vnet-peering.json @@ -0,0 +1,119 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "connectivitySubscriptionId": { + "type": "string", + "metadata": { + "description": "Provide subscription id for the dedicated connectivity subscription" + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Specify the location used for the virtual network hub." + } + }, + "addresses": { + "type": "string", + "metadata": { + "description": "Address space." + } + }, + "topLevelManagementGroupPrefix": { + "type": "string", + "metadata": { + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." + } + } + }, + "variables": { + "hubResourceId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', parameters('topLevelManagementGroupPrefix'), '-connectivity', '/providers/Microsoft.Network/virtualNetworks/', parameters('topLevelManagementGroupPrefix'), '-hub-', parameters('location'))]", + "rbacNameForLz": "[guid(subscription().id)]", + // "rbacNameForNConnectivity": "[guid(concat(parameters('addresses'), deployment().name))]", + "vNetPolicyAssignment": "VNet-to-corp", + // "connectivityManagementGroup": "[concat(parameters('topLevelManagementGroupPrefix'), '-connectivity')]", + "vNetpolicyDefinition": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-VNET-HubSpoke')]" + }, + "resources": [ + { + // Policy assignment to connect corp landing zones via virtual network peering to the virtual network in the connectivity subscription + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-06-01", + "name": "[variables('vNetPolicyAssignment')]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "Connect-Vnet-to-hub", + "displayName": "Connect-Vnet-to-hub", + "policyDefinitionId": "[variables('vNetPolicyDefinition')]", + "parameters": { + "vNetName": { + "value": "[concat('corp-vnet-', subscription().subscriptionId)]" + }, + "vNetRgName": { + "value": "[concat('corp-rg-vnet-', subscription().subscriptionId)]" + }, + "vNetLocation": { + "value": "[parameters('location')]" + }, + "vNetCidrRange": { + "value": "[parameters('addresses')]" + }, + "hubResourceId": { + "value": "[variables('hubResourceId')]" + } + }, + "scope": "[subscription().id]" + } + }, + { + // Role assignment for the policy assignment to do on-behalf-of deployments + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[variables('rbacNameForLz')]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('vNetPolicyAssignment'))]" + ], + "properties": { + "principalType": "ServicePrincipal", + "principalId": "[reference(resourceId('Microsoft.Authorization/policyAssignments/', variables('vNetPolicyAssignment')), '2019-06-01', 'Full').identity.principalId]", + "roleDefinitionId": "[reference(variables('vNetPolicyDefinition'), '2019-06-01').policyRule.then.details.roleDefinitionIds[0]]" + } + }, + /* + { + // Role assignment on the connectivity hub to do on-behalf-of peering of the virtual network + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2018-09-01-preview", + "scope": "[concat('Microsoft.Management/managementGroups/', variables('connectivityManagementGroup'))]", + "name": "[variables('rbacNameForNConnectivity')]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/policyAssignments', variables('vNetPolicyAssignment'))]", + "[resourceId('Microsoft.Authorization/roleAssignments', variables('rbacNameForLz'))]" + ], + "properties": { + "principalType": "ServicePrincipal", + "principalId": "[reference(resourceId('Microsoft.Authorization/policyAssignments', variables('vNetPolicyAssignment')), '2019-06-01', 'Full').identity.principalId]", + "roleDefinitionId": "[reference(variables('vNetPolicyDefinition'), '2019-06-01').policyRule.then.details.roleDefinitionIds[0]]" + } + },*/ + { + // Invoke the template deployment from the policyDefinition using parameters from the policyAssignment + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-08-01", + "name": "[concat('connect', variables('vNetPolicyAssignment'), parameters('connectivitySubscriptionId'))]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/roleAssignments', variables('rbacNameForLz'))]" + ], + "properties": { + "mode": "Incremental", + "template": "[reference(variables('vNetPolicyDefinition'), '2018-05-01').policyRule.then.details.deployment.properties.template]", + "parameters": "[reference(resourceId('Microsoft.Authorization/policyAssignments/', variables('vNetPolicyAssignment')), '2018-05-01').parameters]" + } + } + ] +} \ No newline at end of file diff --git a/eslzArm/subscriptionTemplates/hubspoke-connectivity.json b/eslzArm/subscriptionTemplates/hubspoke-connectivity.json new file mode 100644 index 0000000000..fda501e6e3 --- /dev/null +++ b/eslzArm/subscriptionTemplates/hubspoke-connectivity.json @@ -0,0 +1,438 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "maxLength": 10, + "metadata": { + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." + } + }, + "addressPrefix": { + "type": "string", + "metadata": { + "displayName": "addressPrefix", + "description": "Address prefix of the HUB" + } + }, + "location": { + "type": "string", + "metadata": { + "displayName": "location", + "description": "Location of the HUB" + }, + "defaultValue": "[deployment().location]" + }, + "enableHub": { + "type": "string", + "allowedValues": [ + "vhub", + "No" + ], + "defaultValue": "No", + "metadata": { + "description": "Select whether the virtual network hub should be deployed or not." + } + }, + "enableAzFw": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No", + "metadata": { + "description": "Select whether the Azure Firewall should be deployed or not." + } + }, + "enableAzFwDnsProxy": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No", + "metadata": { + "description": "Select whether the Azure Firewall should be used as DNS Proxy or not." + } + }, + "enableVpnGw": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No", + "metadata": { + "description": "Select whether the VPN Gateway should be deployed or not." + } + }, + "enableErGw": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No", + "metadata": { + "description": "Select whether the ExpressRoute Gateway should be deployed or not." + } + }, + "enableDdoS": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ], + "metadata": { + "description": "Select whether the DDoS Standard protection plan should be enabled or not." + } + }, + "connectivitySubscriptionId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Provide the subscription id for the dedicated connectivity subscription." + } + }, + "subnetMaskForAzFw": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Provide subnet for Azure Firewall." + } + }, + "subnetMaskForGw": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Provide subnet for VPN/ER." + } + }, + "firewallZones": { + "type": "array", + "defaultValue": [] + }, + "gwRegionalOrAz": { + "type": "string", + "defaultValue": "" + }, + "gwAzSku": { + "type": "string", + "defaultValue": "" + }, + "gwRegionalSku": { + "type": "string", + "defaultValue": "" + }, + "erRegionalOrAz": { + "type": "string", + "defaultValue": "" + }, + "erAzSku": { + "type": "string", + "defaultValue": "" + }, + "erRegionalSku": { + "type": "string", + "defaultValue": "" + }, + "ddosPlanResourceId": { + "type": "string" + } + }, + "variables": { + "vpngwname": "[concat(parameters('topLevelManagementGroupPrefix'), '-vpngw-', parameters('location'))]", + "erGwName": "[concat(parameters('topLevelManagementGroupPrefix'), '-ergw-', parameters('location'))]", + "rgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-vnethub-', parameters('location'))]", + "azFwPolicyName": "[concat(parameters('topLevelManagementGroupPrefix'), '-azfwpolicy-', parameters('location'))]", + "hubName": "[concat(parameters('topLevelManagementGroupPrefix'), '-hub-', parameters('location'))]", + "azVpnGwIpName": "[concat(variables('vpngwname'), '-pip')]", + "azVpnGwSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/GatewaySubnet')]", + "azFwName": "[concat(parameters('topLevelManagementGroupPrefix'), '-fw-', parameters('location'))]", + "azErGwIpName": "[concat(variables('erGwName'), '-pip')]", + "azVpnGwPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azVpnGwIpName'))]", + "azFwIpName": "[concat(variables('azFwName'), '-pip')]", + "azErGwSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/GatewaySubnet')]", + "azErGwPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azErGwIpName'))]", + "azFwSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/AzureFirewallSubnet')]", + "azFwPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azFwIpName'))]", + "resourceDeploymentName": "[take(concat(deployment().name, '-hubspoke', parameters('location')), 64)]", + // Creating variable that later will be used in conjunction with the union() function to cater for conditional subnet creation while ensuring idempotency + "gwSubnet": [ + { + "name": "GatewaySubnet", + "properties": { + "addressPrefix": "[parameters('subnetMaskForGw')]" + } + } + ], + "fwSubnet": [ + { + "name": "AzureFirewallSubnet", + "properties": { + "addressPrefix": "[parameters('subnetMaskForAzFw')]" + } + } + ], + "ddosProtectionPlanId": { + "id": "[parameters('ddosPlanResourceId')]" + }, + "azFirewallPolicyId": { + "id": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/firewallPolicies/', variables('azFwPolicyName'))]" + }, + "azFirewallDnsSettings": { + "enableProxy": true + } + }, + "resources": [ + { + // Conditionally deploy virtual network hub + "condition": "[and(equals(parameters('enableHub'), 'vhub'), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "location": "[parameters('location')]", + "name": "[concat('EntScale', '-connectivityHubSub')]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2019-10-01", + "location": "[parameters('location')]", + "name": "[variables('rgName')]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('resourceDeploymentName')]", + "resourceGroup": "[variables('rgName')]", + "dependsOn": [ + "[concat('Microsoft.Resources/resourceGroups/', variables('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "name": "[variables('hubName')]", + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2020-04-01", + "location": "[parameters('location')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('addressPrefix')]" + ] + }, + "subnets": "[ + union( + if( + not( + empty(parameters('subnetMaskForGw'))), variables('gwSubnet'), json('[]')), + if( + not( + empty(parameters('subnetMaskForAzFw'))), variables('fwSubnet'), json('[]')))]", + "enableDdosProtection": "[if(equals(parameters('enableDdoS'), 'Yes'), 'true', 'false')]", + "ddosProtectionPlan": "[if(equals(parameters('enableDdoS'), 'Yes'), variables('ddosProtectionPlanId'), json('null'))]" + } + }, + { + "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), not(empty(parameters('subnetMaskForGw'))))]", + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/publicIpAddresses", + "location": "[parameters('location')]", + "name": "[variables('azVpnGwIpName')]", + "sku": { + "name": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), 'Standard', 'Basic')]" + }, + "properties": { + "publicIPAllocationMethod": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), 'Static', 'Dynamic')]" + } + }, + { + "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), not(empty(parameters('subnetMaskForGw'))))]", + "apiVersion": "2020-05-01", + "name": "[variables('vpngwname')]", + "type": "Microsoft.Network/virtualNetworkGateways", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/', variables('azVpnGwIpName'))]", + "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" + ], + "properties": { + "gatewayType": "Vpn", + "vpnGatewayGeneration": "Generation2", + "vpnType": "RouteBased", + "ipConfigurations": [ + { + "name": "default", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "[variables('azVpnGwSubnetId')]" + }, + "publicIpAddress": { + "id": "[variables('azVpnGwPipId')]" + } + } + } + ], + "sku": { + "name": "[if( + and( + or( + empty(parameters('gwRegionalSku')), + empty(parameters('gwAzSku'))), + not( + empty(parameters('gwRegionalSku')))), + parameters('gwRegionalSku'), + parameters('gwAzSku'))]", + "tier": "[if( + and( + or( + empty(parameters('gwRegionalSku')), + empty(parameters('gwAzSku'))), + not( + empty(parameters('gwRegionalSku')))), + parameters('gwRegionalSku'), + parameters('gwAzSku'))]" + } + } + }, + { + "condition": "[and(equals(parameters('enableErGw'), 'Yes'), not(empty(parameters('subnetMaskForGw'))))]", + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/publicIpAddresses", + "location": "[parameters('location')]", + "name": "[variables('azErGwIpName')]", + "sku": { + "name": "[if(equals(parameters('erRegionalOrAz'), 'Zone'), 'Standard', 'Basic')]" + }, + "properties": { + "publicIPAllocationMethod": "[if(equals(parameters('erRegionalOrAz'), 'Zone'), 'Static', 'Dynamic')]" + } + }, + { + "condition": "[and(equals(parameters('enableErGw'), 'Yes'), not(empty(parameters('subnetMaskForGw'))))]", + "apiVersion": "2020-05-01", + "name": "[variables('erGwName')]", + "type": "Microsoft.Network/virtualNetworkGateways", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/', variables('azErGwIpName'))]", + "[concat('Microsoft.Network/virtualNetworkGateways/', variables('vpngwname'))]", + "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" + ], + "properties": { + "gatewayType": "ExpressRoute", + "ipConfigurations": [ + { + "name": "default", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "[variables('azErGwSubnetId')]" + }, + "publicIpAddress": { + "id": "[variables('azErGwPipId')]" + } + } + } + ], + "sku": { + "name": "[if( + and( + or( + empty(parameters('erRegionalSku')), + empty(parameters('erAzSku'))), + not( + empty(parameters('erRegionalSku')))), + parameters('erRegionalSku'), + parameters('erAzSku'))]", + "tier": "[if( + and( + or( + empty(parameters('erRegionalSku')), + empty(parameters('erAzSku'))), + not( + empty(parameters('erRegionalSku')))), + parameters('erRegionalSku'), + parameters('erAzSku'))]" + } + } + }, + { + "condition": "[and(equals(parameters('enableAzFw'), 'Yes'), not(empty(parameters('subnetMaskForAzFw'))))]", + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/publicIpAddresses", + "name": "[variables('azFwIpName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "publicIPAllocationMethod": "Static" + } + }, + { + "condition": "[and(equals(parameters('enableAzFw'), 'Yes'), not(empty(parameters('subnetMaskForAzFw'))))]", + "type": "Microsoft.Network/firewallPolicies", + "apiVersion": "2020-11-01", + "name": "[variables('azFwPolicyName')]", + "location": "[parameters('location')]", + "properties": { + "dnsSettings": "[if(equals(parameters('enableAzFwDnsProxy'), 'Yes'), variables('azFirewallDnsSettings'), json('null'))]" + } + }, + { + "condition": "[and(equals(parameters('enableAzFw'), 'Yes'), not(empty(parameters('subnetMaskForAzFw'))))]", + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/azureFirewalls", + "name": "[variables('azfwname')]", + "location": "[parameters('location')]", + "zones": "[if(not(empty(parameters('firewallZones'))), parameters('firewallZones'), json('null'))]", + "dependsOn": [ + "[concat('Microsoft.Network/firewallPolicies/', variables('azFwPolicyName'))]", + "[concat('Microsoft.Network/publicIpAddresses/', variables('azFwIpName'))]", + "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" + ], + "properties": { + "ipConfigurations": [ + { + "name": "[variables('azFwIpName')]", + "properties": { + "subnet": { + "id": "[variables('azFwSubnetId')]" + }, + "publicIPAddress": { + "id": "[variables('azFwPipId')]" + } + } + } + ], + "firewallPolicy": "[variables('azFirewallPolicyId')]" + } + } + ] + } + } + } + ] + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/subscriptionTemplates/logAnalyticsSolutions.json b/eslzArm/subscriptionTemplates/logAnalyticsSolutions.json new file mode 100644 index 0000000000..3f46917769 --- /dev/null +++ b/eslzArm/subscriptionTemplates/logAnalyticsSolutions.json @@ -0,0 +1,327 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "rgName": { + "type": "string", + "metadata": { + "description": "Provide the resource group name where the Log Analytics workspace is deployed." + } + }, + "workspaceName": { + "type": "string", + "metadata": { + "description": "Provide resource name for the Log Analytics workspace." + } + }, + "workspaceRegion": { + "type": "string", + "defaultValue": "[deployment().location]", + "metadata": { + "description": "Select Azure region for the Log Analytics workspace. Default, we will use same region as deployment." + } + }, + "enableSecuritySolution": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "Yes", + "metadata": { + "description": "Select whether security solutions should be enabled or not." + } + }, + "enableAgentHealth": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "Yes", + "metadata": { + "description": "Select whether agent health solution should be enabled or not." + } + }, + "enableChangeTracking": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "Yes", + "metadata": { + "description": "Select whether change tracking solution should be enabled or not." + } + }, + "enableUpdateMgmt": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "Yes", + "metadata": { + "description": "Select whether update mgmt solution should be enabled or not." + } + }, + "enableActivityLog": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "Yes", + "metadata": { + "description": "Select whether activity log solution should be enabled or not." + } + }, + "enableVmInsights": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "Yes", + "metadata": { + "description": "Select whether VM insights solution should be enabled or not." + } + }, + "enableServiceMap": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "Yes", + "metadata": { + "description": "Select whether service map solution should be enabled or not." + } + }, + "enableSqlAssessment": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "Yes", + "metadata": { + "description": "Select whether sql assessment solution should be enabled or not." + } + } + }, + "variables": { + "laResourceId": "[toLower(concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspaceName')))]", + "solutions": { + "security": { + "name": "[concat('Security', '(', parameters('workspaceName'), ')')]", + "marketplaceName": "Security" + }, + "agentHealth": { + "name": "[concat('AgentHealthAssessment', '(', parameters('workspaceName'), ')')]", + "marketplaceName": "AgentHealthAssessment" + }, + "changeTracking": { + "name": "[concat('ChangeTracking', '(', parameters('workspaceName'), ')')]", + "marketplaceName": "ChangeTracking" + }, + "updateMgmt": { + "name": "[concat('Updates', '(', parameters('workspaceName'), ')')]", + "marketplaceName": "Updates" + }, + "azureActivity": { + "name": "[concat('AzureActivity', '(', parameters('workspaceName'), ')')]", + "marketplaceName": "AzureActivity" + }, + "sqlAssessment": { + "name": "[concat('SQLAssessment', '(', parameters('workspaceName'), ')')]", + "marketplaceName": "SQLAssessment" + }, + "vmInsights": { + "name": "[concat('VMInsights', '(', parameters('workspaceName'), ')')]", + "marketplaceName": "VMInsights" + }, + "serviceMap": { + "name": "[concat('ServiceMap', '(', parameters('workspaceName'), ')')]", + "marketplaceName": "ServiceMap" + }, + "securityInsights": { + "name": "[concat('SecurityInsights', '(', parameters('workspaceName'), ')')]", + "marketplaceName": "SecurityInsights" + } + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2018-05-01", + "name": "[take(concat('EntScale-', 'solutions-', guid(deployment().name)), 63)]", + "resourceGroup": "[parameters('rgName')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + // Conditionally deploy solution for agent health + "condition": "[equals(parameters('enableAgentHealth'), 'Yes')]", + "apiVersion": "2015-11-01-preview", + "type": "Microsoft.OperationsManagement/solutions", + "name": "[variables('solutions').agentHealth.name]", + "location": "[parameters('workspaceRegion')]", + "properties": { + "workspaceResourceId": "[variables('laResourceId')]" + }, + "plan": { + "name": "[variables('solutions').agentHealth.name]", + "product": "[concat('OMSGallery/', variables('solutions').agentHealth.marketplaceName)]", + "promotionCode": "", + "publisher": "Microsoft" + } + }, + { + // Conditionally deploy solution for activity log + "condition": "[equals(parameters('enableActivityLog'), 'Yes')]", + "apiVersion": "2015-11-01-preview", + "type": "Microsoft.OperationsManagement/solutions", + "name": "[variables('solutions').azureActivity.name]", + "location": "[parameters('workspaceRegion')]", + "properties": { + "workspaceResourceId": "[variables('laResourceId')]" + }, + "plan": { + "name": "[variables('solutions').azureActivity.name]", + "product": "[concat('OMSGallery/', variables('solutions').azureActivity.marketplaceName)]", + "promotionCode": "", + "publisher": "Microsoft" + } + }, + { + // Conditionally deploy solution for change tracking + "condition": "[equals(parameters('enableChangeTracking'), 'Yes')]", + "apiVersion": "2015-11-01-preview", + "type": "Microsoft.OperationsManagement/solutions", + "name": "[variables('solutions').changeTracking.name]", + "location": "[parameters('workspaceRegion')]", + "properties": { + "workspaceResourceId": "[variables('laResourceId')]" + }, + "plan": { + "name": "[variables('solutions').changeTracking.name]", + "product": "[concat('OMSGallery/', variables('solutions').changeTracking.marketplaceName)]", + "promotionCode": "", + "publisher": "Microsoft" + } + }, + { + // Conditionally deploy solution for vm insights + "condition": "[equals(parameters('enableVmInsights'), 'Yes')]", + "apiVersion": "2015-11-01-preview", + "type": "Microsoft.OperationsManagement/solutions", + "name": "[variables('solutions').vmInsights.name]", + "location": "[parameters('workspaceRegion')]", + "properties": { + "workspaceResourceId": "[variables('laResourceId')]" + }, + "plan": { + "name": "[variables('solutions').vmInsights.name]", + "product": "[concat('OMSGallery/', variables('solutions').vmInsights.marketplaceName)]", + "promotionCode": "", + "publisher": "Microsoft" + } + }, + { + // Conditionally deploy solution for security + "condition": "[equals(parameters('enableSecuritySolution'), 'Yes')]", + "apiVersion": "2015-11-01-preview", + "type": "Microsoft.OperationsManagement/solutions", + "name": "[variables('solutions').security.name]", + "location": "[parameters('workspaceRegion')]", + "properties": { + "workspaceResourceId": "[variables('laResourceId')]" + }, + "plan": { + "name": "[variables('solutions').security.name]", + "product": "[concat('OMSGallery/', variables('solutions').security.marketplaceName)]", + "promotionCode": "", + "publisher": "Microsoft" + } + }, + { + // Conditionally deploy solution for sentinel + "condition": "[equals(parameters('enableSecuritySolution'), 'Yes')]", + "apiVersion": "2015-11-01-preview", + "type": "Microsoft.OperationsManagement/solutions", + "name": "[variables('solutions').securityInsights.name]", + "location": "[parameters('workspaceRegion')]", + "properties": { + "workspaceResourceId": "[variables('laResourceId')]" + }, + "plan": { + "name": "[variables('solutions').securityInsights.name]", + "product": "[concat('OMSGallery/', variables('solutions').securityInsights.marketplaceName)]", + "promotionCode": "", + "publisher": "Microsoft" + } + }, + { + // Conditionally deploy solution for service map + "condition": "[equals(parameters('enableServiceMap'), 'Yes')]", + "apiVersion": "2015-11-01-preview", + "type": "Microsoft.OperationsManagement/solutions", + "name": "[variables('solutions').serviceMap.name]", + "location": "[parameters('workspaceRegion')]", + "properties": { + "workspaceResourceId": "[variables('laResourceId')]" + }, + "plan": { + "name": "[variables('solutions').serviceMap.name]", + "product": "[concat('OMSGallery/', variables('solutions').serviceMap.marketplaceName)]", + "promotionCode": "", + "publisher": "Microsoft" + } + }, + { + // Conditionally deploy solution for sql assessment + "condition": "[equals(parameters('enableSqlAssessment'), 'Yes')]", + "apiVersion": "2015-11-01-preview", + "type": "Microsoft.OperationsManagement/solutions", + "name": "[variables('solutions').sqlAssessment.name]", + "location": "[parameters('workspaceRegion')]", + "properties": { + "workspaceResourceId": "[variables('laResourceId')]" + }, + "plan": { + "name": "[variables('solutions').sqlAssessment.name]", + "product": "[concat('OMSGallery/', variables('solutions').sqlAssessment.marketplaceName)]", + "promotionCode": "", + "publisher": "Microsoft" + } + }, + { + // Conditionally deploy solution for update management + "condition": "[equals(parameters('enableUpdateMgmt'), 'Yes')]", + "apiVersion": "2015-11-01-preview", + "type": "Microsoft.OperationsManagement/solutions", + "name": "[variables('solutions').updateMgmt.name]", + "location": "[parameters('workspaceRegion')]", + "properties": { + "workspaceResourceId": "[variables('laResourceId')]" + }, + "plan": { + "name": "[variables('solutions').updateMgmt.name]", + "product": "[concat('OMSGallery/', variables('solutions').updateMgmt.marketplaceName)]", + "promotionCode": "", + "publisher": "Microsoft" + } + } + ] + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json b/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json new file mode 100644 index 0000000000..6f5d8415b5 --- /dev/null +++ b/eslzArm/subscriptionTemplates/logAnalyticsWorkspace.json @@ -0,0 +1,96 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "rgName": { + "type": "String" + }, + "workspaceName": { + "type": "String" + }, + "workspaceRegion": { + "type": "String" + }, + "automationAccountName": { + "type": "String" + }, + "automationRegion": { + "type": "String" + }, + "retentionInDays": { + "type": "String" + } + }, + "variables": { + "deploymentName": "eslz-loganalytics" + }, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2018-05-01", + "name": "[parameters('rgName')]", + "location": "[deployment().location]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2018-05-01", + "name": "[variables('deploymentName')]", + "resourceGroup": "[parameters('rgName')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "apiVersion": "2015-10-31", + "location": "[parameters('AutomationRegion')]", + "name": "[parameters('AutomationAccountName')]", + "type": "Microsoft.Automation/automationAccounts", + "properties": { + "sku": { + "name": "Basic" + } + } + }, + { + "apiVersion": "2020-08-01", + "location": "[parameters('workspaceRegion')]", + "name": "[parameters('workspaceName')]", + "type": "Microsoft.OperationalInsights/workspaces", + "properties": { + "sku": { + "name": "PerGB2018" + }, + "enableLogAccessUsingOnlyResourcePermissions": true, + "retentionInDays": "[int(parameters('retentionInDays'))]" + }, + "resources": [ + { + "name": "Automation", + "type": "linkedServices", + "apiVersion": "2020-08-01", + "dependsOn": [ + "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.Automation/automationAccounts/', parameters('AutomationAccountName'))]", + "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]" + ], + "properties": { + "resourceId": "[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.Automation/automationAccounts/', parameters('AutomationAccountName'))]" + } + } + ] + } + ], + "outputs": {} + } + } + } + ], + "outputs": {} + } \ No newline at end of file diff --git a/eslzArm/subscriptionTemplates/nvahubspoke-connectivity.json b/eslzArm/subscriptionTemplates/nvahubspoke-connectivity.json new file mode 100644 index 0000000000..9e5425b4fe --- /dev/null +++ b/eslzArm/subscriptionTemplates/nvahubspoke-connectivity.json @@ -0,0 +1,348 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "maxLength": 10, + "metadata": { + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." + } + }, + "addressPrefix": { + "type": "string", + "metadata": { + "displayName": "addressPrefix", + "description": "Address prefix of the HUB" + } + }, + "location": { + "type": "string", + "metadata": { + "displayName": "location", + "description": "Location of the HUB" + }, + "defaultValue": "[deployment().location]" + }, + "enableHub": { + "type": "string", + "allowedValues": [ + "nva", + "No" + ], + "defaultValue": "No", + "metadata": { + "description": "Select whether the virtual network hub should be deployed or not." + } + }, + "enableVpnGw": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No", + "metadata": { + "description": "Select whether the VPN Gateway should be deployed or not." + } + }, + "enableErGw": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No", + "metadata": { + "description": "Select whether the ExpressRoute Gateway should be deployed or not." + } + }, + "enableDdoS": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ], + "metadata": { + "description": "Select whether the DDoS Standard protection plan should be enabled or not." + } + }, + "connectivitySubscriptionId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Provide the subscription id for the dedicated connectivity subscription." + } + }, + "subnetMaskForAzFw": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Provide subnet for Azure Firewall." + } + }, + "subnetMaskForGw": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Provide subnet for VPN/ER." + } + }, + "gwRegionalOrAz": { + "type": "string", + "defaultValue": "" + }, + "gwAzSku": { + "type": "string", + "defaultValue": "" + }, + "gwRegionalSku": { + "type": "string", + "defaultValue": "" + }, + "erRegionalOrAz": { + "type": "string", + "defaultValue": "" + }, + "erAzSku": { + "type": "string", + "defaultValue": "" + }, + "erRegionalSku": { + "type": "string", + "defaultValue": "" + }, + "ddosPlanResourceId": { + "type": "string" + } + }, + "variables": { + "vpngwname": "[concat(parameters('topLevelManagementGroupPrefix'), '-vpngw-', parameters('location'))]", + "erGwName": "[concat(parameters('topLevelManagementGroupPrefix'), '-ergw-', parameters('location'))]", + "rgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-vnethub-', parameters('location'))]", + "hubName": "[concat(parameters('topLevelManagementGroupPrefix'), '-hub-', parameters('location'))]", + "azVpnGwIpName": "[concat(variables('vpngwname'), '-pip')]", + "azVpnGwSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/GatewaySubnet')]", + "azErGwIpName": "[concat(variables('erGwName'), '-pip')]", + "azVpnGwPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azVpnGwIpName'))]", + "azErGwSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/GatewaySubnet')]", + "azErGwPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azErGwIpName'))]", + "resourceDeploymentName": "[take(concat(deployment().name, '-hubspoke', parameters('location')), 64)]", + // Creating variable that later will be used in conjunction with the union() function to cater for conditional subnet creation while ensuring idempotency + "gwSubnet": [ + { + "name": "GatewaySubnet", + "properties": { + "addressPrefix": "[parameters('subnetMaskForGw')]" + } + } + ], + "fwSubnet": [ + { + "name": "AzureFirewallSubnet", + "properties": { + "addressPrefix": "[parameters('subnetMaskForAzFw')]" + } + } + ], + "ddosProtectionPlanId": { + "id": "[parameters('ddosPlanResourceId')]" + } + }, + "resources": [ + { + // Conditionally deploy virtual network hub + "condition": "[and(equals(parameters('enableHub'), 'nva'), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "location": "[parameters('location')]", + "name": "[concat('EntScale', '-connectivityNvaHubSub')]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2019-10-01", + "location": "[parameters('location')]", + "name": "[variables('rgName')]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('resourceDeploymentName')]", + "resourceGroup": "[variables('rgName')]", + "dependsOn": [ + "[concat('Microsoft.Resources/resourceGroups/', variables('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "name": "[variables('hubName')]", + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2020-04-01", + "location": "[parameters('location')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('addressPrefix')]" + ] + }, + "subnets": "[ + union( + if( + not( + empty(parameters('subnetMaskForGw'))), variables('gwSubnet'), json('[]')), + if( + not( + empty(parameters('subnetMaskForAzFw'))), variables('fwSubnet'), json('[]')))]", + "enableDdosProtection": "[if(equals(parameters('enableDdoS'), 'Yes'), 'true', 'false')]", + "ddosProtectionPlan": "[if(equals(parameters('enableDdoS'), 'Yes'), variables('ddosProtectionPlanId'), json('null'))]" + } + }, + { + "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), not(empty(parameters('subnetMaskForGw'))))]", + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/publicIpAddresses", + "location": "[parameters('location')]", + "name": "[variables('azVpnGwIpName')]", + "sku": { + "name": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), 'Standard', 'Basic')]" + }, + "properties": { + "publicIPAllocationMethod": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), 'Static', 'Dynamic')]" + } + }, + { + "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), not(empty(parameters('subnetMaskForGw'))))]", + "apiVersion": "2020-05-01", + "name": "[variables('vpngwname')]", + "type": "Microsoft.Network/virtualNetworkGateways", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/', variables('azVpnGwIpName'))]", + "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" + ], + "properties": { + "gatewayType": "Vpn", + "vpnGatewayGeneration": "Generation2", + "vpnType": "RouteBased", + "ipConfigurations": [ + { + "name": "default", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "[variables('azVpnGwSubnetId')]" + }, + "publicIpAddress": { + "id": "[variables('azVpnGwPipId')]" + } + } + } + ], + "sku": { + "name": "[if( + and( + or( + empty(parameters('gwRegionalSku')), + empty(parameters('gwAzSku'))), + not( + empty(parameters('gwRegionalSku')))), + parameters('gwRegionalSku'), + parameters('gwAzSku'))]", + "tier": "[if( + and( + or( + empty(parameters('gwRegionalSku')), + empty(parameters('gwAzSku'))), + not( + empty(parameters('gwRegionalSku')))), + parameters('gwRegionalSku'), + parameters('gwAzSku'))]" + } + } + }, + { + "condition": "[and(equals(parameters('enableErGw'), 'Yes'), not(empty(parameters('subnetMaskForGw'))))]", + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/publicIpAddresses", + "location": "[parameters('location')]", + "name": "[variables('azErGwIpName')]", + "sku": { + "name": "[if(equals(parameters('erRegionalOrAz'), 'Zone'), 'Standard', 'Basic')]" + }, + "properties": { + "publicIPAllocationMethod": "[if(equals(parameters('erRegionalOrAz'), 'Zone'), 'Static', 'Dynamic')]" + } + }, + { + "condition": "[and(equals(parameters('enableErGw'), 'Yes'), not(empty(parameters('subnetMaskForGw'))))]", + "apiVersion": "2020-05-01", + "name": "[variables('erGwName')]", + "type": "Microsoft.Network/virtualNetworkGateways", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/publicIPAddresses/', variables('azErGwIpName'))]", + "[concat('Microsoft.Network/virtualNetworkGateways/', variables('vpngwname'))]", + "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" + ], + "properties": { + "gatewayType": "ExpressRoute", + "ipConfigurations": [ + { + "name": "default", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "[variables('azErGwSubnetId')]" + }, + "publicIpAddress": { + "id": "[variables('azErGwPipId')]" + } + } + } + ], + "sku": { + "name": "[if( + and( + or( + empty(parameters('erRegionalSku')), + empty(parameters('erAzSku'))), + not( + empty(parameters('erRegionalSku')))), + parameters('erRegionalSku'), + parameters('erAzSku'))]", + "tier": "[if( + and( + or( + empty(parameters('erRegionalSku')), + empty(parameters('erAzSku'))), + not( + empty(parameters('erRegionalSku')))), + parameters('erRegionalSku'), + parameters('erAzSku'))]" + } + } + } + ] + } + } + } + ] + } + } + } + ] +} \ No newline at end of file diff --git a/eslzArm/subscriptionTemplates/resourceGroup.json b/eslzArm/subscriptionTemplates/resourceGroup.json new file mode 100644 index 0000000000..20459a7cb5 --- /dev/null +++ b/eslzArm/subscriptionTemplates/resourceGroup.json @@ -0,0 +1,28 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "rgName": { + "type": "string", + "metadata": { + "description": "Provide name for resource group" + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Provide location for the resource group" + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2020-10-01", + "name": "[parameters('rgName')]", + "location": "[parameters('location')]" + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/subscriptionTemplates/vnetPeering.json b/eslzArm/subscriptionTemplates/vnetPeering.json new file mode 100644 index 0000000000..599e42e9c4 --- /dev/null +++ b/eslzArm/subscriptionTemplates/vnetPeering.json @@ -0,0 +1,210 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vNetRgName": { + "type": "string", + "metadata": { + "description": "Provide a name for the resource group that will contain the virtual network." + } + }, + "vNetName": { + "type": "string", + "metadata": { + "description": "Provide a name for the virtual network." + } + }, + "vNetLocation": { + "type": "string", + "metadata": { + "description": "Provide a location for the virtual network." + } + }, + "vNetCidrRange": { + "type": "string", + "metadata": { + "description": "Provide a CIDR range for the virtual network." + } + }, + "vNetPeerUseRemoteGateway": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Use remote gateway or not." + } + }, + "hubResourceId": { + "type": "string", + "metadata": { + "description": "Provide the resourceId for the hub." + } + }, + "dnsServers": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Provide DNS servers." + } + }, + "azureFirewallResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Provide full resourceId of Azure Firewall if used as DNS proxy" + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('es-lz-vnet-',substring(uniqueString(subscription().id),0,6),'-rg')]", + "location": "[parameters('vNetLocation')]", + "dependsOn": [], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2020-06-01", + "name": "[parameters('vNetRgName')]", + "location": "[parameters('vNetLocation')]", + "properties": {} + }, + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2020-06-01", + "name": "NetworkWatcherRG", + "location": "[parameters('vNetLocation')]", + "properties": {} + } + ], + "outputs": {} + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('es-lz-vnet-',substring(uniqueString(subscription().id),0,6))]", + "resourceGroup": "[parameters('vNetRgName')]", + "dependsOn": [ + "[concat('es-lz-vnet-',substring(uniqueString(subscription().id),0,6),'-rg')]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2020-06-01", + "name": "[parameters('vNetName')]", + "location": "[parameters('vNetLocation')]", + "dependsOn": [], + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('vNetCidrRange')]" + ] + }, + "dhcpOptions": { + "dnsServers": "[if( + not( + empty( + parameters('azureFirewallResourceId'))), + array(reference(parameters('azureFirewallResourceId'), '2020-05-01').ipConfigurations[0].properties.privateIPAddress), + parameters('dnsServers'))]" + } + } + }, + { + "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", + "apiVersion": "2020-05-01", + "name": "[concat(parameters('vNetName'), '/peerToHub')]", + "dependsOn": [ + "[parameters('vNetName')]" + ], + "properties": { + "remoteVirtualNetwork": { + "id": "[parameters('hubResourceId')]" + }, + "allowVirtualNetworkAccess": true, + "allowForwardedTraffic": true, + "allowGatewayTransit": true, + "useRemoteGateways": "[parameters('vNetPeerUseRemoteGateway')]" + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('es-lz-hub-',substring(uniqueString(subscription().id),0,6),'-peering')]", + "subscriptionId": "[split(parameters('hubResourceId'),'/')[2]]", + "resourceGroup": "[split(parameters('hubResourceId'),'/')[4]]", + "dependsOn": [ + "[parameters('vNetName')]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "remoteVirtualNetwork": { + "value": "[concat(subscription().id,'/resourceGroups/',parameters('vNetRgName'), '/providers/','Microsoft.Network/virtualNetworks/', parameters('vNetName'))]" + }, + "hubName": { + "value": "[split(parameters('hubResourceId'),'/')[8]]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "remoteVirtualNetwork": { + "type": "String", + "defaultValue": false + }, + "hubName": { + "type": "String", + "defaultValue": false + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", + "name": "[[concat(parameters('hubName'),'/',last(split(parameters('remoteVirtualNetwork'),'/')))]", + "apiVersion": "2020-05-01", + "properties": { + "allowVirtualNetworkAccess": true, + "allowForwardedTraffic": true, + "allowGatewayTransit": true, + "useRemoteGateways": false, + "remoteVirtualNetwork": { + "id": "[[parameters('remoteVirtualNetwork')]" + } + } + } + ], + "outputs": {} + } + } + } + ], + "outputs": {} + } + } + } + ], + "outputs": {} + } \ No newline at end of file diff --git a/eslzArm/subscriptionTemplates/vnetPeeringVwan.json b/eslzArm/subscriptionTemplates/vnetPeeringVwan.json new file mode 100644 index 0000000000..fb80af7c0f --- /dev/null +++ b/eslzArm/subscriptionTemplates/vnetPeeringVwan.json @@ -0,0 +1,167 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vNetRgName": { + "type": "String" + }, + "vNetName": { + "type": "String" + }, + "vNetLocation": { + "type": "String" + }, + "vNetCidrRange": { + "type": "String" + }, + "vWanhubResourceId": { + "type": "String" + }, + "dnsServers": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Provide DNS servers." + } + }, + "azureFirewallResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Provide full resourceId of Azure Firewall if used as DNS proxy" + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('es-lz-vnet-',substring(uniqueString(subscription().id),0,6),'-rg')]", + "location": "[parameters('vNetLocation')]", + "dependsOn": [], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2020-06-01", + "name": "[parameters('vNetRgName')]", + "location": "[parameters('vNetLocation')]", + "properties": {} + }, + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2020-06-01", + "name": "NetworkWatcherRG", + "location": "[parameters('vNetLocation')]", + "properties": {} + } + ], + "outputs": {} + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('es-lz-vnet-',substring(uniqueString(subscription().id),0,6))]", + "dependsOn": [ + "[concat('es-lz-vnet-',substring(uniqueString(subscription().id),0,6),'-rg')]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2020-06-01", + "name": "[parameters('vNetName')]", + "location": "[parameters('vNetLocation')]", + "dependsOn": [], + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('vNetCidrRange')]" + ] + }, + "dhcpOptions": { + "dnsServers": "[if( + not( + empty( + parameters('azureFirewallResourceId'))), + array(reference(parameters('azureFirewallResourceId'), '2020-05-01').hubIPAddresses.privateIPAddress), + parameters('dnsServers'))]" + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('es-lz-vwanhub-',substring(uniqueString(subscription().id),0,6),'-peering')]", + "subscriptionId": "[split(parameters('vWanhubResourceId'),'/')[2]]", + "resourceGroup": "[split(parameters('vWanhubResourceId'),'/')[4]]", + "dependsOn": [ + "[parameters('vNetName')]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "remoteVirtualNetwork": { + "Type": "string", + "defaultValue": false + }, + "vWanvhubName": { + "Type": "string", + "defaultValue": false + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualHubs/hubVirtualNetworkConnections", + "apiVersion": "2019-09-01", + "name": "[[concat(parameters('vWanVhubName'),'/',last(split(parameters('remoteVirtualNetwork'),'/')))]", + "properties": { + "remoteVirtualNetwork": { + "id": "[[parameters('remoteVirtualNetwork')]" + } + } + } + ], + "outputs": {} + }, + "parameters": { + "remoteVirtualNetwork": { + "value": "[concat(subscription().id,'/resourceGroups/',parameters('vNetRgName'), '/providers/','Microsoft.Network/virtualNetworks/', parameters('vNetName'))]" + }, + "vWanvhubName": { + "value": "[split(parameters('vWanhubResourceId'),'/')[8]]" + } + } + } + } + ], + "outputs": {} + } + }, + "resourceGroup": "[parameters('vNetRgName')]" + } + ], + "outputs": {} + } \ No newline at end of file diff --git a/eslzArm/subscriptionTemplates/vpnGateway.json b/eslzArm/subscriptionTemplates/vpnGateway.json new file mode 100644 index 0000000000..e69de29bb2 diff --git a/eslzArm/subscriptionTemplates/vwan-connectivity.json b/eslzArm/subscriptionTemplates/vwan-connectivity.json new file mode 100644 index 0000000000..30746576f2 --- /dev/null +++ b/eslzArm/subscriptionTemplates/vwan-connectivity.json @@ -0,0 +1,226 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "maxLength": 10, + "metadata": { + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." + } + }, + "addressPrefix": { + "type": "string", + "metadata": { + "displayName": "addressPrefix", + "description": "Address prefix of the VHUB" + }, + "defaultValue": "192.168.0.0/24" + }, + "location": { + "type": "string", + "metadata": { + "displayName": "location", + "description": "Location of the VHUB" + }, + "defaultValue": "[deployment().location]" + }, + "enableHub": { + "type": "string", + "allowedValues": [ + "vwan", + "No" + ], + "defaultValue": "No" + }, + "enableAzFw": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "enableVpnGw": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "enableErGw": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "connectivitySubscriptionId": { + "type": "string" + }, + "vpnGateWayScaleUnit": { + "type": "string", + "defaultValue": "1" + }, + "expressRouteScaleUnit": { + "type": "string", + "defaultValue": "1" + } + }, + "variables": { + "vWanName": "[concat(parameters('topLevelManagementGroupPrefix'), '-vwan-', parameters('location'))]", + "vpngwname": "[concat(parameters('topLevelManagementGroupPrefix'), '-vpngw-', parameters('location'))]", + "erGwName": "[concat(parameters('topLevelManagementGroupPrefix'), '-ergw-', parameters('location'))]", + "rgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-vnethub-', parameters('location'))]", + "vHubName": "[concat(parameters('topLevelManagementGroupPrefix'), '-hub-', parameters('location'))]", + "azFwName": "[concat(parameters('topLevelManagementGroupPrefix'), '-fw-', parameters('location'))]", + "vWanSku": "Standard", + "vwanresourceid": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/' ,variables('rgName'),'/providers/Microsoft.Network/virtualWans/', variables('vwanname'))]", + "vwanhub": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualHubs/', variables('vhubname'))]", + "vhubsku": "Standard", + "vpnbgpasn": 65515, + "resourceDeploymentName": "[take(concat(deployment().name, '-vwan'), 64)]" + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "location": "[parameters('location')]", + "name": "[concat('EntScale', '-connectivitySub')]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2019-10-01", + "location": "[parameters('location')]", + "name": "[variables('rgName')]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('resourceDeploymentName')]", + "resourceGroup": "[variables('rgName')]", + "dependsOn": [ + "[concat('Microsoft.Resources/resourceGroups/', variables('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualWans", + "apiVersion": "2020-05-01", + "name": "[variables('vWanName')]", + "location": "[parameters('location')]", + "properties": { + "virtualHubs": [], + "vpnSites": [], + "type": "[variables('vwansku')]" + } + }, + { + "condition": "[and(equals(parameters('enableHub'), 'vwan'), not(empty(parameters('addressPrefix'))))]", + "type": "Microsoft.Network/virtualHubs", + "apiVersion": "2020-05-01", + "location": "[parameters('location')]", + "name": "[variables('vhubname')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualWans/', variables('vWanName'))]" + ], + "properties": { + "virtualWan": { + "id": "[variables('vwanresourceid')]" + }, + "addressPrefix": "[parameters('addressPrefix')]", + "sku": "[variables('vhubsku')]" + } + }, + { + "condition": "[and(equals(parameters('enableHub'), 'vwan'), equals(parameters('enableVpnGw'), 'Yes'))]", + "type": "Microsoft.Network/vpnGateways", + "apiVersion": "2020-05-01", + "location": "[parameters('location')]", + "name": "[variables('vpngwname')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualHubs/',variables('vhubname'))]" + ], + "properties": { + "virtualHub": { + "id": "[variables('vwanhub')]" + }, + "bgpSettings": { + "asn": "[variables('vpnbgpasn')]" + }, + "vpnGatewayScaleUnit": "[int(parameters('vpnGateWayScaleUnit'))]" + } + }, + { + "condition": "[and(equals(parameters('enableHub'), 'vwan'), equals(parameters('enableErGw'), 'Yes'))]", + "type": "Microsoft.Network/expressRouteGateways", + "apiVersion": "2020-05-01", + "location": "[parameters('location')]", + "name": "[variables('ergwname')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualHubs/', variables('vhubname'))]" + ], + "properties": { + "virtualHub": { + "id": "[variables('vwanhub')]" + }, + "autoScaleConfiguration": { + "bounds": { + "min": "[int(parameters('expressRouteScaleUnit'))]" + } + } + } + }, + { + "condition": "[equals(parameters('enableAzFw'), 'Yes')]", + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/azureFirewalls", + "name": "[variables('azfwname')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualHubs/',variables('vhubname'))]" + ], + "properties": { + "sku": { + "Name": "AZFW_Hub", + "Tier": "Standard" + }, + "hubIPAddresses": { + "publicIPs": { + "addresses": "[json('[]')]", + "count": 1 + } + }, + "virtualHub": { + "id": "[variables('vwanhub')]" + }, + "firewallPolicy": { + "id": "[json('null')]" + } + } + } + ] + } + } + } + ] + } + } + } + ] +} \ No newline at end of file