Skip to content

Commit

Permalink
Merge pull request #97 from Azure/CAF/nov-29
Browse files Browse the repository at this point in the history 
Caf/nov 29 - update to match main policies
  • Loading branch information
@anwather
anwather authored Nov 29, 2022
2 parents 303f873 + a74c52a commit b87ea06
Show file tree
Hide file tree
Showing 4 changed files with 113 additions and 108 deletions.
68 changes: 0 additions & 68 deletions Scripts/CloudAdoptionFramework/Assignments/CAF-CorpMG-Default.json
View file

This file was deleted.

107 changes: 107 additions & 0 deletions Scripts/CloudAdoptionFramework/Assignments/CAF-CorpMG-Default.jsonc
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
{
"nodeName": "/Corp/",
"scope": {
"tenant1": [
"/providers/Microsoft.Management/managementGroups/corp"
]
},
"children": [
{
"nodeName": "Networking/",
"children": [
{
"nodeName": "PublicEndpoint",
"assignment": {
"name": "Deny-Public-Endpoints",
"displayName": "Public network access should be disabled for PaaS services",
"description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints"
},
"definitionEntry": {
"initiativeName": "Deny-PublicPaaSEndpoints",
"friendlyNameToDocumentIfGuid": "Deny Public PaaS Endpoints"
}
},
{
"nodeName": "DNZZones",
"assignment": {
"name": "Deploy-Private-DNS-Zones",
"displayName": "Configure Azure PaaS services to use private DNS zones",
"description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones."
},
"definitionEntry": {
"initiativeName": "Deploy-Private-DNS-Zones",
"friendlyNameToDocumentIfGuid": "Deploy Private DNS Zones"
},
"parameters": {
// Replace DNSZonePrefix with a value similar to
// "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myorg-dns/providers/Microsoft.Network/privateDnsZones/"
// but modify to reference your connectivity subscription.
// Replace location with the default deployment location.
// If you don't require this then remove the assignment block.
"azureFilePrivateDnsZoneId": "DNSZonePrefix.privatelink.afs.azure.net",
"azureWebPrivateDnsZoneId": "DNSZonePrefix.privatelink.webpubsub.azure.com",
"azureBatchPrivateDnsZoneId": "DNSZonePrefix.privatelink.location.batch.azure.com",
"azureAppPrivateDnsZoneId": "DNSZonePrefix.privatelink.azconfig.io",
"azureAsrPrivateDnsZoneId": "DNSZonePrefixlocation.privatelink.siterecovery.windowsazure.com",
"azureIoTPrivateDnsZoneId": "DNSZonePrefix.privatelink.azure-devices-provisioning.net",
"azureKeyVaultPrivateDnsZoneId": "DNSZonePrefix.privatelink.vaultcore.azure.net",
"azureSignalRPrivateDnsZoneId": "DNSZonePrefix.privatelink.service.signalr.net",
"azureAppServicesPrivateDnsZoneId": "DNSZonePrefix.privatelink.azurewebsites.net",
"azureEventGridTopicsPrivateDnsZoneId": "DNSZonePrefix.privatelink.eventgrid.azure.net",
"azureDiskAccessPrivateDnsZoneId": "DNSZonePrefix.privatelink.blob.core.windows.net",
"azureCognitiveServicesPrivateDnsZoneId": "DNSZonePrefix.privatelink.cognitiveservices.azure.com",
"azureIotHubsPrivateDnsZoneId": "DNSZonePrefix.privatelink.azure-devices.net",
"azureEventGridDomainsPrivateDnsZoneId": "DNSZonePrefix.privatelink.eventgrid.azure.net",
"azureRedisCachePrivateDnsZoneId": "DNSZonePrefix.privatelink.redis.cache.windows.net",
"azureAcrPrivateDnsZoneId": "DNSZonePrefix.privatelink.azurecr.io",
"azureEventHubNamespacePrivateDnsZoneId": "DNSZonePrefix.privatelink.servicebus.windows.net",
"azureMachineLearningWorkspacePrivateDnsZoneId": "DNSZonePrefix.privatelink.api.azureml.ms",
"azureServiceBusNamespacePrivateDnsZoneId": "DNSZonePrefix.privatelink.servicebus.windows.net",
"azureCognitiveSearchPrivateDnsZoneId": "DNSZonePrefix.privatelink.search.windows.net"
}
}
]
},
{
"nodeName": "Databricks/",
"children": [
{
"nodeName": "NoDBPIP",
"assignment": {
"name": "Deny-DataB-Pip",
"displayName": "Prevent usage of Databricks with public IP",
"description": "Prevent the deployment of Databricks workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs."
},
"definitionEntry": {
"policyName": "Deny-Databricks-NoPublicIp",
"friendlyNameToDocumentIfGuid": "Deny Databricks with Public Ip"
}
},
{
"nodeName": "DbPremium",
"assignment": {
"name": "Deny-DataB-Sku",
"displayName": "Enforces the use of Premium Databricks workspaces",
"description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD."
},
"definitionEntry": {
"policyName": "Deny-Databricks-Sku",
"friendlyNameToDocumentIfGuid": "Deny Databricks Sku"
}
},
{
"nodeName": "DbVnet",
"assignment": {
"name": "Deny-DataB-Vnet",
"displayName": "Enforces the use of vnet injection for Databricks",
"description": "Enforces the use of vnet injection for Databricks workspaces."
},
"definitionEntry": {
"policyName": "Deny-Databricks-VirtualNetwork",
"friendlyNameToDocumentIfGuid": "Deny Databricks Virtual Network"
}
}
]
}
]
}
44 changes: 5 additions & 39 deletions Scripts/CloudAdoptionFramework/Assignments/CAF-RootMG-Default.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,12 +20,12 @@
"nodeName": "ASB",
"assignment": {
"name": "Deploy-ASC-Monitoring",
"displayName": "Azure Security Benchmark",
"description": "Azure Security Benchmark policy initiative"
"displayName": "Microsoft Cloud Security Benchmark",
"description": "Microsoft Cloud Security Benchmark policy initiative"
},
"definitionEntry": {
"initiativeName": "1f3afdf9-d0c9-4c3d-847f-89da613e70a8",
"friendlyNameToDocumentIfGuid": "Azure Security Benchmark"
"friendlyNameToDocumentIfGuid": "Microsoft Cloud Security Benchmark"
},
"parameters": {
"identityDesignateLessThanOwnersMonitoringEffect": "Disabled",
Expand Down Expand Up @@ -77,10 +77,7 @@
"policyName": "2465583e-4e78-4c15-b6be-a36cbc7c8b0f",
"friendlyNameToDocumentIfGuid": "Activity Logs"
},
"parameters": {
"effect": "DeployIfNotExists",
"logsEnabled": "True"
}
"parameters": {}
},
{
"nodeName": "ResourceDiagnostics",
Expand All @@ -93,9 +90,7 @@
"initiativeName": "Deploy-Diagnostics-LogAnalytics",
"friendlyNameToDocumentIfGuid": "Resource Diagnostics"
},
"parameters": {
"effect": "DeployIfNotExists"
}
"parameters": {}
},
{
"nodeName": "VMMonitoring",
Expand All @@ -122,35 +117,6 @@
}
}
]
},
{
"nodeName": "Compute",
"children": [
{
"nodeName": "Arc-Linux-Monitoring",
"assignment": {
"name": "Deploy-LX-Arc-Monitoring",
"displayName": "Deploy-Linux-Arc-Monitoring",
"description": "Deploy-Linux-Arc-Monitoring"
},
"definitionEntry": {
"policyName": "9d2b61b4-1d14-4a63-be30-d4498e7ad2cf",
"friendlyNameToDocumentIfGuid": "Arc Linux Monitoring"
}
},
{
"nodeName": "Arc-Windows-Monitoring",
"assignment": {
"name": "Deploy-Arc-Monitoring",
"displayName": "Deploy-Windows-Arc-Monitoring",
"description": "Deploy-Windows-Arc-Monitoring"
},
"definitionEntry": {
"policyName": "69af7d4a-7b18-4044-93a9-2651498ef203",
"friendlyNameToDocumentIfGuid": "Arc Windows Monitoring"
}
}
]
}
]
}
2 changes: 1 addition & 1 deletion Scripts/CloudAdoptionFramework/Sync-CAFPolicies.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,5 +80,5 @@ foreach ($initiativeFile in Get-ChildItem $definitionsRootFolder\Initiatives\CAF
$jsonContent | ConvertTo-Json -Depth 20 | Set-Content $initiativeFile
}

Copy-Item -Path .\Scripts\CloudAdoptionFramework\Assignments\*.json -Destination "$definitionsRootFolder\assignments\CAF\" -Force
Copy-Item -Path .\Scripts\CloudAdoptionFramework\Assignments\*.* -Destination "$definitionsRootFolder\assignments\CAF\" -Force

0 comments on commit b87ea06

Please sign in to comment.