From e9db68708de19c04bd8704942d54e50fc6755c74 Mon Sep 17 00:00:00 2001 From: Marvin Buss Date: Tue, 29 Jun 2021 18:42:31 +0200 Subject: [PATCH 01/12] Added Stream Analytics Custom Policies --- .../armTemplates/auxiliary/policies.json | 106 ++++++++++++++++++ .../armTemplates/auxiliary/policies.json | 106 ++++++++++++++++++ .../armTemplates/auxiliary/policies.json | 106 ++++++++++++++++++ .../armTemplates/auxiliary/policies.json | 106 ++++++++++++++++++ 4 files changed, 424 insertions(+) diff --git a/docs/reference/adventureworks/armTemplates/auxiliary/policies.json b/docs/reference/adventureworks/armTemplates/auxiliary/policies.json index 08fe691717..ac43054c25 100644 --- a/docs/reference/adventureworks/armTemplates/auxiliary/policies.json +++ b/docs/reference/adventureworks/armTemplates/auxiliary/policies.json @@ -18081,6 +18081,112 @@ } }, "name": "Deny-MachineLearning-ComputeCluster-Scale" + }, + { + "properties": { + "displayName": "Deny-StreamAnalytics-ClusterId", + "policyType": "Custom", + "mode": "Indexed", + "description": "Enforces use of stram analytics cluster.", + "metadata": { + "version": "1.0.0", + "category": "Stream Analytics" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.StreamAnalytics/streamingjobs" + }, + { + "anyOf": [ + { + "field": "Microsoft.StreamAnalytics/streamingjobs/cluster.id", + "exists": false + }, + { + "value": "[[empty(field('Microsoft.StreamAnalytics/streamingjobs/cluster.id'))]", + "equals": true + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-StreamAnalytics-ClusterId" + }, + { + "properties": { + "displayName": "Deny-StreamAnalytics-ClusterId", + "policyType": "Custom", + "mode": "Indexed", + "description": "Enforces use of stram analytics cluster.", + "metadata": { + "version": "1.0.0", + "category": "Stream Analytics" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.StreamAnalytics/streamingjobs" + }, + { + "anyOf": [ + { + "field": "Microsoft.StreamAnalytics/streamingjobs/cluster.id", + "exists": false + }, + { + "value": "[[empty(field('Microsoft.StreamAnalytics/streamingjobs/cluster.id'))]", + "equals": true + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-StreamAnalytics-ClusterId" } ] }, diff --git a/docs/reference/contoso/armTemplates/auxiliary/policies.json b/docs/reference/contoso/armTemplates/auxiliary/policies.json index 08fe691717..ac43054c25 100644 --- a/docs/reference/contoso/armTemplates/auxiliary/policies.json +++ b/docs/reference/contoso/armTemplates/auxiliary/policies.json @@ -18081,6 +18081,112 @@ } }, "name": "Deny-MachineLearning-ComputeCluster-Scale" + }, + { + "properties": { + "displayName": "Deny-StreamAnalytics-ClusterId", + "policyType": "Custom", + "mode": "Indexed", + "description": "Enforces use of stram analytics cluster.", + "metadata": { + "version": "1.0.0", + "category": "Stream Analytics" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.StreamAnalytics/streamingjobs" + }, + { + "anyOf": [ + { + "field": "Microsoft.StreamAnalytics/streamingjobs/cluster.id", + "exists": false + }, + { + "value": "[[empty(field('Microsoft.StreamAnalytics/streamingjobs/cluster.id'))]", + "equals": true + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-StreamAnalytics-ClusterId" + }, + { + "properties": { + "displayName": "Deny-StreamAnalytics-ClusterId", + "policyType": "Custom", + "mode": "Indexed", + "description": "Enforces use of stram analytics cluster.", + "metadata": { + "version": "1.0.0", + "category": "Stream Analytics" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.StreamAnalytics/streamingjobs" + }, + { + "anyOf": [ + { + "field": "Microsoft.StreamAnalytics/streamingjobs/cluster.id", + "exists": false + }, + { + "value": "[[empty(field('Microsoft.StreamAnalytics/streamingjobs/cluster.id'))]", + "equals": true + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-StreamAnalytics-ClusterId" } ] }, diff --git a/docs/reference/treyresearch/armTemplates/auxiliary/policies.json b/docs/reference/treyresearch/armTemplates/auxiliary/policies.json index 08fe691717..ac43054c25 100644 --- a/docs/reference/treyresearch/armTemplates/auxiliary/policies.json +++ b/docs/reference/treyresearch/armTemplates/auxiliary/policies.json @@ -18081,6 +18081,112 @@ } }, "name": "Deny-MachineLearning-ComputeCluster-Scale" + }, + { + "properties": { + "displayName": "Deny-StreamAnalytics-ClusterId", + "policyType": "Custom", + "mode": "Indexed", + "description": "Enforces use of stram analytics cluster.", + "metadata": { + "version": "1.0.0", + "category": "Stream Analytics" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.StreamAnalytics/streamingjobs" + }, + { + "anyOf": [ + { + "field": "Microsoft.StreamAnalytics/streamingjobs/cluster.id", + "exists": false + }, + { + "value": "[[empty(field('Microsoft.StreamAnalytics/streamingjobs/cluster.id'))]", + "equals": true + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-StreamAnalytics-ClusterId" + }, + { + "properties": { + "displayName": "Deny-StreamAnalytics-ClusterId", + "policyType": "Custom", + "mode": "Indexed", + "description": "Enforces use of stram analytics cluster.", + "metadata": { + "version": "1.0.0", + "category": "Stream Analytics" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.StreamAnalytics/streamingjobs" + }, + { + "anyOf": [ + { + "field": "Microsoft.StreamAnalytics/streamingjobs/cluster.id", + "exists": false + }, + { + "value": "[[empty(field('Microsoft.StreamAnalytics/streamingjobs/cluster.id'))]", + "equals": true + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-StreamAnalytics-ClusterId" } ] }, diff --git a/docs/reference/wingtip/armTemplates/auxiliary/policies.json b/docs/reference/wingtip/armTemplates/auxiliary/policies.json index 08fe691717..ac43054c25 100644 --- a/docs/reference/wingtip/armTemplates/auxiliary/policies.json +++ b/docs/reference/wingtip/armTemplates/auxiliary/policies.json @@ -18081,6 +18081,112 @@ } }, "name": "Deny-MachineLearning-ComputeCluster-Scale" + }, + { + "properties": { + "displayName": "Deny-StreamAnalytics-ClusterId", + "policyType": "Custom", + "mode": "Indexed", + "description": "Enforces use of stram analytics cluster.", + "metadata": { + "version": "1.0.0", + "category": "Stream Analytics" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.StreamAnalytics/streamingjobs" + }, + { + "anyOf": [ + { + "field": "Microsoft.StreamAnalytics/streamingjobs/cluster.id", + "exists": false + }, + { + "value": "[[empty(field('Microsoft.StreamAnalytics/streamingjobs/cluster.id'))]", + "equals": true + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-StreamAnalytics-ClusterId" + }, + { + "properties": { + "displayName": "Deny-StreamAnalytics-ClusterId", + "policyType": "Custom", + "mode": "Indexed", + "description": "Enforces use of stram analytics cluster.", + "metadata": { + "version": "1.0.0", + "category": "Stream Analytics" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.StreamAnalytics/streamingjobs" + }, + { + "anyOf": [ + { + "field": "Microsoft.StreamAnalytics/streamingjobs/cluster.id", + "exists": false + }, + { + "value": "[[empty(field('Microsoft.StreamAnalytics/streamingjobs/cluster.id'))]", + "equals": true + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-StreamAnalytics-ClusterId" } ] }, From 47cf3cd5584b65b3d1c4788397b98ec988e23e32 Mon Sep 17 00:00:00 2001 From: Marvin Buss Date: Thu, 26 Aug 2021 12:36:54 +0200 Subject: [PATCH 02/12] update to be consistent with eslz --- .../policyDefinitions/policies.json | 106 ------------------ 1 file changed, 106 deletions(-) diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json index 03d5c34f5f..ae57164bc4 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json @@ -14412,112 +14412,6 @@ } }, "name": "Deny-MachineLearning-ComputeCluster-Scale" - }, - { - "properties": { - "displayName": "Deny-StreamAnalytics-ClusterId", - "policyType": "Custom", - "mode": "Indexed", - "description": "Enforces use of stram analytics cluster.", - "metadata": { - "version": "1.0.0", - "category": "Stream Analytics" - }, - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ], - "defaultValue": "Deny" - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.StreamAnalytics/streamingjobs" - }, - { - "anyOf": [ - { - "field": "Microsoft.StreamAnalytics/streamingjobs/cluster.id", - "exists": false - }, - { - "value": "[[empty(field('Microsoft.StreamAnalytics/streamingjobs/cluster.id'))]", - "equals": true - } - ] - } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } - } - }, - "name": "Deny-StreamAnalytics-ClusterId" - }, - { - "properties": { - "displayName": "Deny-StreamAnalytics-ClusterId", - "policyType": "Custom", - "mode": "Indexed", - "description": "Enforces use of stram analytics cluster.", - "metadata": { - "version": "1.0.0", - "category": "Stream Analytics" - }, - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ], - "defaultValue": "Deny" - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.StreamAnalytics/streamingjobs" - }, - { - "anyOf": [ - { - "field": "Microsoft.StreamAnalytics/streamingjobs/cluster.id", - "exists": false - }, - { - "value": "[[empty(field('Microsoft.StreamAnalytics/streamingjobs/cluster.id'))]", - "equals": true - } - ] - } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } - } - }, - "name": "Deny-StreamAnalytics-ClusterId" } ] }, From 394820b5fdc28a6f7c8548f2e833fbf70ad06aca Mon Sep 17 00:00:00 2001 From: Marvin Buss Date: Thu, 26 Aug 2021 14:03:09 +0200 Subject: [PATCH 03/12] synch with azure main --- .../armTemplates/auxiliary/policies.json | 106 ------------------ 1 file changed, 106 deletions(-) diff --git a/docs/reference/treyresearch/armTemplates/auxiliary/policies.json b/docs/reference/treyresearch/armTemplates/auxiliary/policies.json index 45ea896b94..1fc396dfa9 100644 --- a/docs/reference/treyresearch/armTemplates/auxiliary/policies.json +++ b/docs/reference/treyresearch/armTemplates/auxiliary/policies.json @@ -18097,112 +18097,6 @@ } }, "name": "Deny-MachineLearning-ComputeCluster-Scale" - }, - { - "properties": { - "displayName": "Deny-StreamAnalytics-ClusterId", - "policyType": "Custom", - "mode": "Indexed", - "description": "Enforces use of stram analytics cluster.", - "metadata": { - "version": "1.0.0", - "category": "Stream Analytics" - }, - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ], - "defaultValue": "Deny" - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.StreamAnalytics/streamingjobs" - }, - { - "anyOf": [ - { - "field": "Microsoft.StreamAnalytics/streamingjobs/cluster.id", - "exists": false - }, - { - "value": "[[empty(field('Microsoft.StreamAnalytics/streamingjobs/cluster.id'))]", - "equals": true - } - ] - } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } - } - }, - "name": "Deny-StreamAnalytics-ClusterId" - }, - { - "properties": { - "displayName": "Deny-StreamAnalytics-ClusterId", - "policyType": "Custom", - "mode": "Indexed", - "description": "Enforces use of stram analytics cluster.", - "metadata": { - "version": "1.0.0", - "category": "Stream Analytics" - }, - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ], - "defaultValue": "Deny" - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.StreamAnalytics/streamingjobs" - }, - { - "anyOf": [ - { - "field": "Microsoft.StreamAnalytics/streamingjobs/cluster.id", - "exists": false - }, - { - "value": "[[empty(field('Microsoft.StreamAnalytics/streamingjobs/cluster.id'))]", - "equals": true - } - ] - } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } - } - }, - "name": "Deny-StreamAnalytics-ClusterId" } ] }, From baf93948ece65a9ab050220b729c35837cb78981 Mon Sep 17 00:00:00 2001 From: Marvin Buss Date: Tue, 7 Sep 2021 09:51:52 +0200 Subject: [PATCH 04/12] Added dataPolicies.json --- .../policyDefinitions/dataPolicies.json | 612 ++++++++++++++++++ 1 file changed, 612 insertions(+) create mode 100644 eslzArm/managementGroupTemplates/policyDefinitions/dataPolicies.json diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/dataPolicies.json b/eslzArm/managementGroupTemplates/policyDefinitions/dataPolicies.json new file mode 100644 index 0000000000..ccee2d6de8 --- /dev/null +++ b/eslzArm/managementGroupTemplates/policyDefinitions/dataPolicies.json @@ -0,0 +1,612 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "String", + "maxLength": 10, + "metadata": { + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." + } + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "policies": { + "policyDefinitions": [ + { + "properties": { + "displayName": "Control private endpoint connections to Azure Machine Learning", + "mode": "Indexed", + "description": "Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces" + }, + { + "count": { + "field": "Microsoft.MachineLearningServices/workspaces/privateEndpointConnections[*]", + "where": { + "field": "Microsoft.MachineLearningServices/workspaces/privateEndpointConnections[*].privateEndpoint.id", + "notContains": "[[subscription().id]" + } + }, + "greaterOrEquals": 1 + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Audit-MachineLearning-PrivateEndpointId" + }, + { + "properties": { + "displayName": "Enforces high business impact Azure Machine Learning Workspaces", + "mode": "Indexed", + "description": "Enforces high business impact Azure Machine Learning workspaces.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/hbiWorkspace", + "exists": false + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/hbiWorkspace", + "notEquals": true + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-MachineLearning-HbiWorkspace" + }, + { + "properties": { + "displayName": "Deny public acces behind vnet to Azure Machine Learning workspace", + "mode": "Indexed", + "description": "Deny public access behind vnet to Azure Machine Learning workspaces.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet", + "exists": false + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet", + "notEquals": false + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-MachineLearning-PublicAccessWhenBehindVnet" + }, + { + "properties": { + "displayName": "Deny AKS cluster creation in Azure Machine Learning", + "mode": "Indexed", + "description": "Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/computes" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", + "equals": "AKS" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/resourceId", + "exists": false + }, + { + "value": "[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]", + "equals": true + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-MachineLearning-Aks" + }, + { + "properties": { + "displayName": "Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances", + "mode": "Indexed", + "description": "Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/computes" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", + "in": [ + "AmlCompute", + "ComputeInstance" + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/subnet.id", + "exists": false + }, + { + "value": "[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]", + "equals": true + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-MachineLearning-Compute-SubnetId" + }, + { + "properties": { + "displayName": "Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances", + "mode": "Indexed", + "description": "Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances.", + "metadata": { + "version": "1.0.0", + "category": "Budget" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + }, + "allowedVmSizes": { + "type": "Array", + "metadata": { + "displayName": "Allowed VM Sizes for Aml Compute Clusters and Instances", + "description": "Specifies the allowed VM Sizes for Aml Compute Clusters and Instances" + }, + "defaultValue": [ + "Standard_D1_v2", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_DS1_v2", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_M8-2ms", + "Standard_M8-4ms", + "Standard_M8ms", + "Standard_M16-4ms", + "Standard_M16-8ms", + "Standard_M16ms", + "Standard_M32-8ms", + "Standard_M32-16ms", + "Standard_M32ls", + "Standard_M32ms", + "Standard_M32ts", + "Standard_M64-16ms", + "Standard_M64-32ms", + "Standard_M64ls", + "Standard_M64ms", + "Standard_M64s", + "Standard_M128-32ms", + "Standard_M128-64ms", + "Standard_M128ms", + "Standard_M128s", + "Standard_M64", + "Standard_M64m", + "Standard_M128", + "Standard_M128m", + "Standard_D1", + "Standard_D2", + "Standard_D3", + "Standard_D4", + "Standard_D11", + "Standard_D12", + "Standard_D13", + "Standard_D14", + "Standard_DS15_v2", + "Standard_NV6", + "Standard_NV12", + "Standard_NV24", + "Standard_F2s_v2", + "Standard_F4s_v2", + "Standard_F8s_v2", + "Standard_F16s_v2", + "Standard_F32s_v2", + "Standard_F64s_v2", + "Standard_F72s_v2", + "Standard_NC6s_v3", + "Standard_NC12s_v3", + "Standard_NC24rs_v3", + "Standard_NC24s_v3", + "Standard_NC6", + "Standard_NC12", + "Standard_NC24", + "Standard_NC24r", + "Standard_ND6s", + "Standard_ND12s", + "Standard_ND24rs", + "Standard_ND24s", + "Standard_NC6s_v2", + "Standard_NC12s_v2", + "Standard_NC24rs_v2", + "Standard_NC24s_v2", + "Standard_ND40rs_v2", + "Standard_NV12s_v3", + "Standard_NV24s_v3", + "Standard_NV48s_v3" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/computes" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", + "in": [ + "AmlCompute", + "ComputeInstance" + ] + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/vmSize", + "notIn": "[[parameters('allowedVmSizes')]" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-MachineLearning-Compute-VmSize" + }, + { + "properties": { + "displayName": "Deny public access of Azure Machine Learning clusters via SSH", + "mode": "Indexed", + "description": "Deny public access of Azure Machine Learning clusters via SSH.", + "metadata": { + "version": "1.0.0", + "category": "Machine Learning" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/computes" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", + "equals": "AmlCompute" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess", + "exists": false + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess", + "notEquals": "Disabled" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess" + }, + { + "properties": { + "displayName": "Enforce scale settings for Azure Machine Learning compute clusters", + "policyType": "Custom", + "mode": "Indexed", + "description": "Enforce scale settings for Azure Machine Learning compute clusters.", + "metadata": { + "version": "1.0.0", + "category": "Budget" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + }, + "maxNodeCount": { + "type": "Integer", + "metadata": { + "displayName": "Maximum Node Count", + "description": "Specifies the maximum node count of AML Clusters" + }, + "defaultValue": 10 + }, + "minNodeCount": { + "type": "Integer", + "metadata": { + "displayName": "Minimum Node Count", + "description": "Specifies the minimum node count of AML Clusters" + }, + "defaultValue": 0 + }, + "maxNodeIdleTimeInSecondsBeforeScaleDown": { + "type": "Integer", + "metadata": { + "displayName": "Maximum Node Idle Time in Seconds Before Scaledown", + "description": "Specifies the maximum node idle time in seconds before scaledown" + }, + "defaultValue": 900 + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces/computes" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", + "equals": "AmlCompute" + }, + { + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount", + "greater": "[[parameters('maxNodeCount')]" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount", + "greater": "[[parameters('minNodeCount')]" + }, + { + "value": "[[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]", + "greater": "[[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]" + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-MachineLearning-ComputeCluster-Scale" + } + ] + }, + "initiatives": { + "policySetDefinitions": [] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", + "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "[variables('initiatives').policySetDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "dependsOn": [ + "policyDefinitionCopy" + ], + "copy": { + "name": "policySetDefinitionCopy", + "count": "[length(variables('initiatives').policySetDefinitions)]" + }, + "properties": { + "displayName": "[variables('initiatives').policySetDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('initiatives').policySetDefinitions[copyIndex()].properties.description]", + "parameters": "[variables('initiatives').policySetDefinitions[copyIndex()].properties.parameters]", + "policyDefinitions": "[variables('initiatives').policySetDefinitions[copyIndex()].properties.policyDefinitions]", + "metadata": "[variables('initiatives').policySetDefinitions[copyIndex()].properties.metadata]" + } + } + ] +} \ No newline at end of file From 3652674690d1a263cf0b39a29e2aae64f7eaf294 Mon Sep 17 00:00:00 2001 From: Marvin Buss Date: Tue, 7 Sep 2021 09:57:27 +0200 Subject: [PATCH 05/12] * updated policy definition for private endpoints * removed policies from policies.json --- .../policyDefinitions/dataPolicies.json | 22 +- .../policyDefinitions/policies.json | 550 ------------------ 2 files changed, 14 insertions(+), 558 deletions(-) diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/dataPolicies.json b/eslzArm/managementGroupTemplates/policyDefinitions/dataPolicies.json index ccee2d6de8..5bc6a9224c 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/dataPolicies.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/dataPolicies.json @@ -43,17 +43,23 @@ "allOf": [ { "field": "type", - "equals": "Microsoft.MachineLearningServices/workspaces" + "equals": "Microsoft.MachineLearningServices/workspaces/privateEndpointConnections" + }, + { + "field": "Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status", + "equals": "Approved" }, { - "count": { - "field": "Microsoft.MachineLearningServices/workspaces/privateEndpointConnections[*]", - "where": { - "field": "Microsoft.MachineLearningServices/workspaces/privateEndpointConnections[*].privateEndpoint.id", - "notContains": "[[subscription().id]" + "anyOf": [ + { + "field": "Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id", + "exists": false + }, + { + "value": "[[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]", + "notEquals": "[[subscription().subscriptionId]" } - }, - "greaterOrEquals": 1 + ] } ] }, diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json index e80610b235..f6947b8ead 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json @@ -13866,556 +13866,6 @@ } }, "name": "Deploy-Storage-sslEnforcement" - }, - { - "properties": { - "displayName": "Audit-MachineLearning-PrivateEndpointId", - "mode": "Indexed", - "description": "Audit public endpoints that are created in other subscriptions for machine learning.", - "metadata": { - "version": "1.0.0", - "category": "Machine Learning" - }, - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Audit" - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.MachineLearningServices/workspaces" - }, - { - "count": { - "field": "Microsoft.MachineLearningServices/workspaces/privateEndpointConnections[*]", - "where": { - "field": "Microsoft.MachineLearningServices/workspaces/privateEndpointConnections[*].privateEndpoint.id", - "notContains": "[[subscription().id]" - } - }, - "greaterOrEquals": 1 - } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } - } - }, - "name": "Audit-MachineLearning-PrivateEndpointId" - }, - { - "properties": { - "displayName": "Deny-MachineLearning-HbiWorkspace", - "mode": "Indexed", - "description": "Enforce high business impact machine learning workspaces across the environment.", - "metadata": { - "version": "1.0.0", - "category": "Machine Learning" - }, - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ], - "defaultValue": "Deny" - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.MachineLearningServices/workspaces" - }, - { - "anyOf": [ - { - "field": "Microsoft.MachineLearningServices/workspaces/hbiWorkspace", - "exists": false - }, - { - "field": "Microsoft.MachineLearningServices/workspaces/hbiWorkspace", - "notEquals": true - } - ] - } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } - } - }, - "name": "Deny-MachineLearning-HbiWorkspace" - }, - { - "properties": { - "displayName": "Deny-MachineLearning-PublicAccessWhenBehindVnet", - "mode": "Indexed", - "description": "Deny public access behind vnet for machine learning workspaces.", - "metadata": { - "version": "1.0.0", - "category": "Machine Learning" - }, - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ], - "defaultValue": "Deny" - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.MachineLearningServices/workspaces" - }, - { - "anyOf": [ - { - "field": "Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet", - "exists": false - }, - { - "field": "Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet", - "notEquals": false - } - ] - } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } - } - }, - "name": "Deny-MachineLearning-PublicAccessWhenBehindVnet" - }, - { - "properties": { - "displayName": "Deny-MachineLearning-Aks", - "mode": "Indexed", - "description": "Deny AKS cluster creation in machine learning and enforce connecting to existing clusters.", - "metadata": { - "version": "1.0.0", - "category": "Machine Learning" - }, - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ], - "defaultValue": "Deny" - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.MachineLearningServices/workspaces/computes" - }, - { - "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", - "equals": "AKS" - }, - { - "anyOf": [ - { - "field": "Microsoft.MachineLearningServices/workspaces/computes/resourceId", - "exists": false - }, - { - "value": "[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]", - "equals": true - } - ] - } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } - } - }, - "name": "Deny-MachineLearning-Aks" - }, - { - "properties": { - "displayName": "Deny-MachineLearning-Compute-SubnetId", - "mode": "Indexed", - "description": "Enforce subnet connectivity for machine learning compute clusters and instances.", - "metadata": { - "version": "1.0.0", - "category": "Machine Learning" - }, - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ], - "defaultValue": "Deny" - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.MachineLearningServices/workspaces/computes" - }, - { - "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", - "in": [ - "AmlCompute", - "ComputeInstance" - ] - }, - { - "anyOf": [ - { - "field": "Microsoft.MachineLearningServices/workspaces/computes/subnet.id", - "exists": false - }, - { - "value": "[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]", - "equals": true - } - ] - } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } - } - }, - "name": "Deny-MachineLearning-Compute-SubnetId" - }, - { - "properties": { - "displayName": "Deny-MachineLearning-Compute-VmSize", - "mode": "Indexed", - "description": "Limit allowed vm sizes for machine learning compute clusters and instances.", - "metadata": { - "version": "1.0.0", - "category": "Budget" - }, - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ], - "defaultValue": "Deny" - }, - "allowedVmSizes": { - "type": "Array", - "metadata": { - "displayName": "Allowed VM Sizes for Aml Compute Clusters and Instances", - "description": "Specifies the allowed VM Sizes for Aml Compute Clusters and Instances" - }, - "defaultValue": [ - "Standard_D1_v2", - "Standard_D2_v2", - "Standard_D3_v2", - "Standard_D4_v2", - "Standard_D11_v2", - "Standard_D12_v2", - "Standard_D13_v2", - "Standard_D14_v2", - "Standard_DS1_v2", - "Standard_DS2_v2", - "Standard_DS3_v2", - "Standard_DS4_v2", - "Standard_DS5_v2", - "Standard_DS11_v2", - "Standard_DS12_v2", - "Standard_DS13_v2", - "Standard_DS14_v2", - "Standard_M8-2ms", - "Standard_M8-4ms", - "Standard_M8ms", - "Standard_M16-4ms", - "Standard_M16-8ms", - "Standard_M16ms", - "Standard_M32-8ms", - "Standard_M32-16ms", - "Standard_M32ls", - "Standard_M32ms", - "Standard_M32ts", - "Standard_M64-16ms", - "Standard_M64-32ms", - "Standard_M64ls", - "Standard_M64ms", - "Standard_M64s", - "Standard_M128-32ms", - "Standard_M128-64ms", - "Standard_M128ms", - "Standard_M128s", - "Standard_M64", - "Standard_M64m", - "Standard_M128", - "Standard_M128m", - "Standard_D1", - "Standard_D2", - "Standard_D3", - "Standard_D4", - "Standard_D11", - "Standard_D12", - "Standard_D13", - "Standard_D14", - "Standard_DS15_v2", - "Standard_NV6", - "Standard_NV12", - "Standard_NV24", - "Standard_F2s_v2", - "Standard_F4s_v2", - "Standard_F8s_v2", - "Standard_F16s_v2", - "Standard_F32s_v2", - "Standard_F64s_v2", - "Standard_F72s_v2", - "Standard_NC6s_v3", - "Standard_NC12s_v3", - "Standard_NC24rs_v3", - "Standard_NC24s_v3", - "Standard_NC6", - "Standard_NC12", - "Standard_NC24", - "Standard_NC24r", - "Standard_ND6s", - "Standard_ND12s", - "Standard_ND24rs", - "Standard_ND24s", - "Standard_NC6s_v2", - "Standard_NC12s_v2", - "Standard_NC24rs_v2", - "Standard_NC24s_v2", - "Standard_ND40rs_v2", - "Standard_NV12s_v3", - "Standard_NV24s_v3", - "Standard_NV48s_v3" - ] - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.MachineLearningServices/workspaces/computes" - }, - { - "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", - "in": [ - "AmlCompute", - "ComputeInstance" - ] - }, - { - "field": "Microsoft.MachineLearningServices/workspaces/computes/vmSize", - "notIn": "[[parameters('allowedVmSizes')]" - } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } - } - }, - "name": "Deny-MachineLearning-Compute-VmSize" - }, - { - "properties": { - "displayName": "Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess", - "mode": "Indexed", - "description": "Deny public access of clusters via SSH.", - "metadata": { - "version": "1.0.0", - "category": "Machine Learning" - }, - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ], - "defaultValue": "Deny" - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.MachineLearningServices/workspaces/computes" - }, - { - "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", - "equals": "AmlCompute" - }, - { - "anyOf": [ - { - "field": "Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess", - "exists": false - }, - { - "field": "Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess", - "notEquals": "Disabled" - } - ] - } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } - } - }, - "name": "Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess" - }, - { - "properties": { - "displayName": "Deny-MachineLearning-ComputeCluster-Scale", - "policyType": "Custom", - "mode": "Indexed", - "description": "Enforce scale settings for machine learning compute clusters.", - "metadata": { - "version": "1.0.0", - "category": "Budget" - }, - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ], - "defaultValue": "Deny" - }, - "maxNodeCount": { - "type": "Integer", - "metadata": { - "displayName": "Maximum Node Count", - "description": "Specifies the maximum node count of AML Clusters" - }, - "defaultValue": 10 - }, - "minNodeCount": { - "type": "Integer", - "metadata": { - "displayName": "Minimum Node Count", - "description": "Specifies the minimum node count of AML Clusters" - }, - "defaultValue": 0 - }, - "maxNodeIdleTimeInSecondsBeforeScaleDown": { - "type": "Integer", - "metadata": { - "displayName": "Maximum Node Idle Time in Seconds Before Scaledown", - "description": "Specifies the maximum node idle time in seconds before scaledown" - }, - "defaultValue": 900 - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.MachineLearningServices/workspaces/computes" - }, - { - "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", - "equals": "AmlCompute" - }, - { - "anyOf": [ - { - "field": "Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount", - "greater": "[[parameters('maxNodeCount')]" - }, - { - "field": "Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount", - "greater": "[[parameters('minNodeCount')]" - }, - { - "value": "[[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]", - "greater": "[[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]" - } - ] - } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } - } - }, - "name": "Deny-MachineLearning-ComputeCluster-Scale" } ] }, From a64b18787a9d004250c9eb394f462ff1d03e39b3 Mon Sep 17 00:00:00 2001 From: Marvin Buss Date: Tue, 7 Sep 2021 10:05:01 +0200 Subject: [PATCH 06/12] added databricks policies --- .../policyDefinitions/dataPolicies.json | 147 ++++++++++++++++++ 1 file changed, 147 insertions(+) diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/dataPolicies.json b/eslzArm/managementGroupTemplates/policyDefinitions/dataPolicies.json index 5bc6a9224c..7b4d70d302 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/dataPolicies.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/dataPolicies.json @@ -569,6 +569,153 @@ } }, "name": "Deny-MachineLearning-ComputeCluster-Scale" + }, + { + "properties": { + "displayName": "Deny public IPs for Databricks cluster", + "policyType": "Custom", + "mode": "Indexed", + "description": "Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.", + "metadata": { + "version": "1.0.0", + "category": "Databricks" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Databricks/workspaces" + }, + { + "field": "Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value", + "notEquals": true + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-Databricks-NoPublicIp" + }, + { + "properties": { + "displayName": "Deny non-premium Databricks sku", + "policyType": "Custom", + "mode": "Indexed", + "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD.", + "metadata": { + "version": "1.0.0", + "category": "Databricks" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Databricks/workspaces" + }, + { + "field": "Microsoft.DataBricks/workspaces/sku.name", + "notEquals": "premium" + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-Databricks-Sku" + }, + { + "properties": { + "displayName": "Deny Databricks workspaces without Vnet injection", + "policyType": "Custom", + "mode": "Indexed", + "description": "Enforces the use of vnet injection for Databricks workspaces.", + "metadata": { + "version": "1.0.0", + "category": "Databricks" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Databricks/workspaces" + }, + { + "anyOf": [ + { + "field": "Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value", + "exists": false + }, + { + "field": "Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value", + "exists": false + }, + { + "field": "Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value", + "exists": false + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + }, + "name": "Deny-Databricks-VirtualNetwork" } ] }, From 643e49691339f56ffca5fa784680e401b2d21138 Mon Sep 17 00:00:00 2001 From: Marvin Buss Date: Tue, 7 Sep 2021 10:05:33 +0200 Subject: [PATCH 07/12] removed single policy definition files --- ...NY-DatabricksPublicIpPolicyDefinition.json | 55 --------------- .../DENY-DatabricksSkuPolicyDefinition.json | 55 --------------- ...abricksVirtualNetworkPolicyDefinition.json | 67 ------------------- 3 files changed, 177 deletions(-) delete mode 100644 eslzArm/managementGroupTemplates/policyDefinitions/DENY-DatabricksPublicIpPolicyDefinition.json delete mode 100644 eslzArm/managementGroupTemplates/policyDefinitions/DENY-DatabricksSkuPolicyDefinition.json delete mode 100644 eslzArm/managementGroupTemplates/policyDefinitions/DENY-DatabricksVirtualNetworkPolicyDefinition.json diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/DENY-DatabricksPublicIpPolicyDefinition.json b/eslzArm/managementGroupTemplates/policyDefinitions/DENY-DatabricksPublicIpPolicyDefinition.json deleted file mode 100644 index 1633471144..0000000000 --- a/eslzArm/managementGroupTemplates/policyDefinitions/DENY-DatabricksPublicIpPolicyDefinition.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2020-03-01", - "name": "Deny-Databricks-NoPublicIp", - "properties": { - "policyType": "Custom", - "mode": "Indexed", - "displayName": "Deny public IPs for Databricks clustern", - "description": "Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.", - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ], - "defaultValue": "Deny" - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Databricks/workspaces" - }, - { - "field": "Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value", - "notEquals": true - } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } - }, - "metadata": { - "version": "1.0.0", - "category": "Databricks" - } - } - } - ] -} diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/DENY-DatabricksSkuPolicyDefinition.json b/eslzArm/managementGroupTemplates/policyDefinitions/DENY-DatabricksSkuPolicyDefinition.json deleted file mode 100644 index 6b8e86d9fa..0000000000 --- a/eslzArm/managementGroupTemplates/policyDefinitions/DENY-DatabricksSkuPolicyDefinition.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2020-03-01", - "name": "Deny-Databricks-Sku", - "properties": { - "policyType": "Custom", - "mode": "Indexed", - "displayName": "Deny non-premium databricks sku", - "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD.", - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ], - "defaultValue": "Deny" - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Databricks/workspaces" - }, - { - "field": "Microsoft.DataBricks/workspaces/sku.name", - "notEquals": "premium" - } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } - }, - "metadata": { - "version": "1.0.0", - "category": "Databricks" - } - } - } - ] -} diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/DENY-DatabricksVirtualNetworkPolicyDefinition.json b/eslzArm/managementGroupTemplates/policyDefinitions/DENY-DatabricksVirtualNetworkPolicyDefinition.json deleted file mode 100644 index 6e13a59e61..0000000000 --- a/eslzArm/managementGroupTemplates/policyDefinitions/DENY-DatabricksVirtualNetworkPolicyDefinition.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2020-03-01", - "name": "Deny-Databricks-VirtualNetwork", - "properties": { - "policyType": "Custom", - "mode": "Indexed", - "displayName": "Deny Databricks workspaces without Vnet injection", - "description": "Enforces the use of vnet injection for Databricks workspaces.", - "parameters": { - "effect": { - "type": "String", - "metadata": { - "displayName": "Effect", - "description": "Enable or disable the execution of the policy" - }, - "allowedValues": [ - "Audit", - "Disabled", - "Deny" - ], - "defaultValue": "Deny" - } - }, - "policyRule": { - "if": { - "allOf": [ - { - "field": "type", - "equals": "Microsoft.Databricks/workspaces" - }, - { - "anyOf": [ - { - "field": "Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value", - "exists": false - }, - { - "field": "Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value", - "exists": false - }, - { - "field": "Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value", - "exists": false - } - ] - } - ] - }, - "then": { - "effect": "[[parameters('effect')]" - } - }, - "metadata": { - "version": "1.0.0", - "category": "Databricks" - } - } - } - ] -} From b98843bbd79677de2e62b36359ed3a58e75d5ce8 Mon Sep 17 00:00:00 2001 From: Marvin Buss Date: Tue, 7 Sep 2021 10:22:35 +0200 Subject: [PATCH 08/12] removed initiatives resource --- .../policyDefinitions/dataPolicies.json | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/dataPolicies.json b/eslzArm/managementGroupTemplates/policyDefinitions/dataPolicies.json index 7b4d70d302..f6cc477893 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/dataPolicies.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/dataPolicies.json @@ -741,25 +741,6 @@ "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]", "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]" } - }, - { - "type": "Microsoft.Authorization/policySetDefinitions", - "name": "[variables('initiatives').policySetDefinitions[copyIndex()].name]", - "apiVersion": "2019-09-01", - "dependsOn": [ - "policyDefinitionCopy" - ], - "copy": { - "name": "policySetDefinitionCopy", - "count": "[length(variables('initiatives').policySetDefinitions)]" - }, - "properties": { - "displayName": "[variables('initiatives').policySetDefinitions[copyIndex()].properties.displayName]", - "description": "[variables('initiatives').policySetDefinitions[copyIndex()].properties.description]", - "parameters": "[variables('initiatives').policySetDefinitions[copyIndex()].properties.parameters]", - "policyDefinitions": "[variables('initiatives').policySetDefinitions[copyIndex()].properties.policyDefinitions]", - "metadata": "[variables('initiatives').policySetDefinitions[copyIndex()].properties.metadata]" - } } ] } \ No newline at end of file From 75f90db5a788ab9f089d63b91e01ee3cd12b25a9 Mon Sep 17 00:00:00 2001 From: Marvin Buss Date: Wed, 8 Sep 2021 10:47:35 +0200 Subject: [PATCH 09/12] Add Option to select Firewall SKU --- eslzArm/eslz-portal.json | 27 +++++++++++++++++++ eslzArm/eslzArm.json | 20 ++++++++++++++ .../hubspoke-connectivity.json | 12 +++++++++ .../vwan-connectivity.json | 10 ++++++- 4 files changed, 68 insertions(+), 1 deletion(-) diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index 3d08941c04..6ab2a505f8 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -1463,6 +1463,32 @@ ] } }, + { + "name": "esAzFwSku", + "type": "Microsoft.Common.DropDown", + "label": "Select Azure Firewall Sku", + "defaultValue": "Standard", + "multiselect": false, + "selectAll": false, + "filter": false, + "multiLine": true, + "visible": "[equals(steps('esConnectivityGoalState').esAzFw, 'Yes')]", + "toolTip": "Select Azure Firewall Sku", + "constraints": { + "allowedValues": [ + { + "label": "Standard", + "description": "Standard Azure Firewall", + "value": "Standard" + }, + { + "label": "Premium", + "description": "Premium Azure Firewall adds support for TLS inspection, IDPS, URL filtering and web categories.", + "value": "Premium" + } + ] + } + }, { "name": "esFwAz", "type": "Microsoft.Common.DropDown", @@ -2311,6 +2337,7 @@ "enableVmMonitoring": "[steps('lzGoalState').esVmMonitoring]", "enableVmssMonitoring": "[steps('lzGoalState').esVmssMonitoring]", "vpnOrErZones": "[steps('esConnectivityGoalState').esGwRegionalOrAz]", + "firewallSku": "[steps('esConnectivityGoalState').esAzFwSku]", "firewallZones": "[steps('esConnectivityGoalState').esFwAz]", "paToken": "[steps('lzDevOps').esPaToken]", "principalId": "[steps('lzDevOps').spnSection.esServicePrincipal.objectId]", diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 4af83ed666..7fad607c45 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -503,6 +503,14 @@ "type": "string", "defaultValue": "" }, + "firewallSku": { + "type": "string", + "allowedValues": [ + "Standard", + "Premium" + ], + "defaultValue": "Standard" + }, "firewallZones": { "type": "array", "defaultValue": [] @@ -1442,6 +1450,9 @@ "subnetMaskForGw": { "value": "[parameters('subnetMaskForGw')]" }, + "firewallSku": { + "value": "[parameters('firewallSku')]" + }, "firewallZones": { "value": "[parameters('firewallZones')]" }, @@ -1575,6 +1586,9 @@ "enableAzFw": { "value": "[parameters('enableAzFw')]" }, + "firewallSku": { + "value": "[parameters('firewallSku')]" + }, "addressPrefix": { "value": "[parameters('addressPrefix')]" }, @@ -3141,6 +3155,9 @@ "subnetMaskForGw": { "value": "[parameters('subnetMaskForGw')]" }, + "firewallSku": { + "value": "[parameters('firewallSku')]" + }, "firewallZones": { "value": "[parameters('firewallZones')]" }, @@ -3278,6 +3295,9 @@ "enableAzFw": { "value": "[parameters('enableAzFw')]" }, + "firewallSku": { + "value": "[parameters('firewallSku')]" + }, "addressPrefix": { "value": "[parameters('addressPrefix')]" }, diff --git a/eslzArm/subscriptionTemplates/hubspoke-connectivity.json b/eslzArm/subscriptionTemplates/hubspoke-connectivity.json index 8b9a6e4d18..cb1a4c04f7 100644 --- a/eslzArm/subscriptionTemplates/hubspoke-connectivity.json +++ b/eslzArm/subscriptionTemplates/hubspoke-connectivity.json @@ -111,6 +111,14 @@ "description": "Provide subnet for VPN/ER." } }, + "firewallSku": { + "type": "string", + "allowedValues": [ + "Standard", + "Premium" + ], + "defaultValue": "Standard" + }, "firewallZones": { "type": "array", "defaultValue": [] @@ -410,6 +418,10 @@ "[concat('Microsoft.Network/virtualNetworks/', variables('hubName'))]" ], "properties": { + "sku": { + "name": "AZFW_VNet", + "tier": "[parameters('firewallSku')]" + }, "ipConfigurations": [ { "name": "[variables('azFwIpName')]", diff --git a/eslzArm/subscriptionTemplates/vwan-connectivity.json b/eslzArm/subscriptionTemplates/vwan-connectivity.json index fc117d915d..09bfc2dc08 100644 --- a/eslzArm/subscriptionTemplates/vwan-connectivity.json +++ b/eslzArm/subscriptionTemplates/vwan-connectivity.json @@ -41,6 +41,14 @@ ], "defaultValue": "No" }, + "firewallSku": { + "type": "string", + "allowedValues": [ + "Standard", + "Premium" + ], + "defaultValue": "Standard" + }, "enableVpnGw": { "type": "string", "allowedValues": [ @@ -198,7 +206,7 @@ "properties": { "sku": { "Name": "AZFW_Hub", - "Tier": "Standard" + "Tier": "[parameters('firewallSku')]" }, "hubIPAddresses": { "publicIPs": { From 365a053937f1fed205020886a6b075584337001d Mon Sep 17 00:00:00 2001 From: Marvin Buss Date: Wed, 8 Sep 2021 16:00:45 +0200 Subject: [PATCH 10/12] added docs --- docs/wiki/Whats-new.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index b32bdae4bb..e40c99cb41 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -30,6 +30,24 @@ This article will be updated as and when changes are made to the above and anyth Here's what's changed in Enterprise Scale: +### September 2021 + +#### Docs + +- *No updates, yet.* + +#### Tooling + +- Added Option to select Azure Firewall SKU (https://github.com/Azure/Enterprise-Scale/pull/793) + +### Policy + +- *No updates, yet.* + +### Other + +- *No updates, yet.* + ### August 2021 #### Docs From 6173d131c504edafbcb24c38c335b72ad6a83d1e Mon Sep 17 00:00:00 2001 From: Marvin Buss Date: Wed, 8 Sep 2021 16:59:49 +0200 Subject: [PATCH 11/12] updated label for firewall sku --- eslzArm/eslz-portal.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index bee1ddd6c3..4222f144fc 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -1466,7 +1466,7 @@ { "name": "esAzFwSku", "type": "Microsoft.Common.DropDown", - "label": "Select Azure Firewall Sku", + "label": "Select Azure Firewall tier", "defaultValue": "Standard", "multiselect": false, "selectAll": false, From 66ffe60138cdd21b9a2e9cd84af3cd19748e7bd9 Mon Sep 17 00:00:00 2001 From: Marvin Buss Date: Wed, 8 Sep 2021 17:04:14 +0200 Subject: [PATCH 12/12] updating azure firewall tier tooltip --- eslzArm/eslz-portal.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index 4222f144fc..0a5c9f075c 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -1473,7 +1473,7 @@ "filter": false, "multiLine": true, "visible": "[equals(steps('esConnectivityGoalState').esAzFw, 'Yes')]", - "toolTip": "Select Azure Firewall Sku", + "toolTip": "Select Azure Firewall tier", "constraints": { "allowedValues": [ {