Merge branch 'policy-refresh-q1fy25' of https://github.com/Azure/Ente…

…rprise-Scale into AIReady

docs/wiki/Whats-new.md

@@ -49,17 +49,19 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
 
 ### 🔃 Policy Refresh Q1 FY25
 
+- Updated ALZ custom policies enforcing minimum TLS versions to properly evaluate the minimum TLS version, ensuring services configured to deploy TLS 1.3 will successfully evaluate.
 - Updated the initiative [Deploy-MDFC-Config_20240319](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) to the the newer version of DCSPM: [Configure Microsoft Defender CSPM plan](https://www.azadvertizer.net/azpolicyadvertizer/72f8cee7-2937-403d-84a1-a4e3e57f3c21.html)
 - Updated [Deploy-Private-DNS-Generic](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Private-DNS-Generic.html) policy to include the ability to configure the location/region.
 - Removed duplicate assignment and portal option of [Deploy Azure Policy Add-on to Azure Kubernetes Service clusters](https://www.azadvertizer.net/azpolicyadvertizer/a8eff44f-8c92-45c3-a3fb-9880802d67a7.html) at Landing Zones scope, as this policy is assigned in the initiative [Deploy Microsoft Defender for Cloud configuration](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) at Intermediate Root scope.
 - Updated the Deny-vNet-Peer-Cross-Sub.json definition policy to include a parameter for allowed virtual networks (vNets) in other subscriptions. For vNets to be permitted to peer, both vNet IDs must be added to the allowed list.
 - Added new built-in policy assignment and portal option for [Subnets should be private](https://www.azadvertizer.net/azpolicyadvertizer/7bca8353-aa3b-429b-904a-9229c4385837.html) assigned at Platform and Landing Zones management groups. This policy's assignment effect is defaulted to "Audit" in this release, giving the community time to adopt the good practice and address subnet compliance. We will default to the "Deny" effect as part of the next Policy Refresh.
 - Added option to select Diagnostic Settings category for logging to Log Analytics in the portal experience. You can now select between the recommended "All Logs" which covers almost all Azure resources, or "Audit Only" which is limited to resources that support this category.
-- Added additional built-in policies to initiatives for the following Azure AI services:
-  - OpenAI
-  - Cognitive Services/Search
+- Added additional built-in policies to initiatives for the following Azure AI Services:
+  - Azure OpenAI
+  - Cognitive Services/Search -> AI Services
   - Machine Learning
-  - Bot Service
+  - Bot Service (new) -> AI Bot Services
+- Updated the initiative [Deploy-MDFC-Config_20240319](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) to include an additional parameter that allows you to specify if the Defender for Cloud export to Log Analytics should create a new resource group. This is useful when you want to specify the resource group name or requires tags on resource groups. Will be used by other RIs - Terraform and Bicep (portal accelerator will use default values).
 
 ### September 2024
 

src/resources/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS.json

@@ -9,7 +9,7 @@
     "displayName": "AppService append sites with minimum TLS version to enforce.",
     "description": "Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny.",
     "metadata": {
-      "version": "1.1.0",
+      "version": "1.2.0",
       "category": "App Service",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -35,6 +35,7 @@
         "type": "String",
         "defaultValue": "1.2",
         "allowedValues": [
+          "1.3",
           "1.2",
           "1.0",
           "1.1"
@@ -54,7 +55,7 @@
           },
           {
             "field": "Microsoft.Web/sites/config/minTlsVersion",
-            "notEquals": "[[parameters('minTlsVersion')]"
+            "less": "[[parameters('minTlsVersion')]"
           }
         ]
       },

src/resources/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement.json

@@ -9,7 +9,7 @@
     "displayName": "Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS.",
     "description": "Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce  minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
     "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
       "category": "Cache",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -56,7 +56,7 @@
             "anyOf": [
               {
                 "field": "Microsoft.Cache/Redis/minimumTlsVersion",
-                "notequals": "[[parameters('minimumTlsVersion')]"
+                "less": "[[parameters('minimumTlsVersion')]"
               }
             ]
           }

src/resources/Microsoft.Authorization/policyDefinitions/Deny-EH-MINTLS.json

@@ -9,7 +9,7 @@
         "displayName": "Event Hub namespaces should use a valid TLS version",
         "description": "Event Hub namespaces should use a valid TLS version.",
         "metadata": {
-            "version": "1.0.0",
+            "version": "1.1.0",
             "category": "Event Hub",
             "source": "https://github.com/Azure/Enterprise-Scale/",
             "alzCloudEnvironments": [
@@ -52,7 +52,7 @@
                         "anyOf": [
                             {
                                 "field": "Microsoft.EventHub/namespaces/minimumTlsVersion",
-                                "notEquals": "[[parameters('minTlsVersion')]"
+                                "less": "[[parameters('minTlsVersion')]"
                             },
                             {
                                 "field": "Microsoft.EventHub/namespaces/minimumTlsVersion",

src/resources/Microsoft.Authorization/policyDefinitions/Deny-MySql-http.json

@@ -9,7 +9,7 @@
     "displayName": "MySQL database servers enforce SSL connections.",
     "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
     "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
       "category": "SQL",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -66,7 +66,7 @@
               },
               {
                 "field": "Microsoft.DBforMySQL/servers/minimalTlsVersion",
-                "notequals": "[[parameters('minimalTlsVersion')]"
+                "less": "[[parameters('minimalTlsVersion')]"
               }
             ]
           }

src/resources/Microsoft.Authorization/policyDefinitions/Deny-Redis-http.json

@@ -9,7 +9,7 @@
     "displayName": "Azure Cache for Redis only secure connections should be enabled",
     "description": "Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking",
     "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
       "category": "Cache",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -41,7 +41,7 @@
           "1.0"
         ],
         "metadata": {
-          "displayName": "Select minumum TLS version for Azure Cache for Redis.",
+          "displayName": "Select minimum TLS version for Azure Cache for Redis.",
           "description": "Select minimum TLS version for Azure Cache for Redis."
         }
       }
@@ -61,7 +61,7 @@
               },
               {
                 "field": "Microsoft.Cache/Redis/minimumTlsVersion",
-                "notequals": "[[parameters('minimumTlsVersion')]"
+                "less": "[[parameters('minimumTlsVersion')]"
               }
             ]
           }

src/resources/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS.json

@@ -9,7 +9,7 @@
     "displayName": "Azure SQL Database should have the minimal TLS version set to the highest version",
     "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.",
     "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
       "category": "SQL",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -61,7 +61,7 @@
               },
               {
                 "field": "Microsoft.Sql/servers/minimalTlsVersion",
-                "notequals": "[[parameters('minimalTlsVersion')]"
+                "less": "[[parameters('minimalTlsVersion')]"
               }
             ]
           }

src/resources/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS.json

@@ -7,9 +7,9 @@
     "policyType": "Custom",
     "mode": "Indexed",
     "displayName": "SQL Managed Instance should have the minimal TLS version set to the highest version",
-    "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.",
+    "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.",
     "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
       "category": "SQL",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -61,7 +61,7 @@
               },
               {
                 "field": "Microsoft.Sql/managedInstances/minimalTlsVersion",
-                "notequals": "[[parameters('minimalTlsVersion')]"
+                "less": "[[parameters('minimalTlsVersion')]"
               }
             ]
           }

src/resources/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement.json

@@ -9,7 +9,7 @@
     "displayName": "Azure Database for MySQL server deploy a specific min TLS version and enforce SSL.",
     "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
     "metadata": {
-      "version": "1.1.0",
+      "version": "1.2.0",
       "category": "SQL",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -61,7 +61,7 @@
               },
               {
                 "field": "Microsoft.DBforMySQL/servers/minimalTlsVersion",
-                "notequals": "[[parameters('minimalTlsVersion')]"
+                "less": "[[parameters('minimalTlsVersion')]"
               }
             ]
           }

src/resources/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement.json

@@ -9,7 +9,7 @@
     "displayName": "Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL ",
     "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce  minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
     "metadata": {
-      "version": "1.1.0",
+      "version": "1.2.0",
       "category": "SQL",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -61,7 +61,7 @@
               },
               {
                 "field": "Microsoft.DBforPostgreSQL/servers/minimalTlsVersion",
-                "notEquals": "[[parameters('minimalTlsVersion')]"
+                "less": "[[parameters('minimalTlsVersion')]"
               }
             ]
           }

src/resources/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS.json

@@ -9,7 +9,7 @@
     "displayName": "SQL servers deploys a specific min TLS version requirement.",
     "description": "Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce  minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
     "metadata": {
-      "version": "1.1.0",
+      "version": "1.2.0",
       "category": "SQL",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -54,7 +54,7 @@
           },
           {
             "field": "Microsoft.Sql/servers/minimalTlsVersion",
-            "notequals": "[[parameters('minimalTlsVersion')]"
+            "less": "[[parameters('minimalTlsVersion')]"
           }
         ]
       },

src/resources/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS.json

@@ -9,7 +9,7 @@
     "displayName": "SQL managed instances deploy a specific min TLS version requirement.",
     "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce  minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
     "metadata": {
-      "version": "1.2.0",
+      "version": "1.3.0",
       "category": "SQL",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -54,7 +54,7 @@
           },
           {
             "field": "Microsoft.Sql/managedInstances/minimalTlsVersion",
-            "notequals": "[[parameters('minimalTlsVersion')]"
+            "less": "[[parameters('minimalTlsVersion')]"
           }
         ]
       },

src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement.json

@@ -9,7 +9,7 @@
     "displayName": "Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS ",
     "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage.",
     "metadata": {
-      "version": "1.2.0",
+      "version": "1.3.0",
       "category": "Storage",
       "source": "https://github.com/Azure/Enterprise-Scale/",
       "alzCloudEnvironments": [
@@ -60,7 +60,7 @@
               },
               {
                 "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
-                "notEquals": "[[parameters('minimumTlsVersion')]"
+                "less": "[[parameters('minimumTlsVersion')]"
               }
             ]
           }

src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config_20240319.json

@@ -8,7 +8,7 @@
         "displayName": "Deploy Microsoft Defender for Cloud configuration",
         "description": "Deploy Microsoft Defender for Cloud configuration",
         "metadata": {
-            "version": "2.0.0",
+            "version": "2.1.0",
             "category": "Security Center",
             "source": "https://github.com/Azure/Enterprise-Scale/",
             "replacesPolicy": "Deploy-MDFC-Config",
@@ -59,6 +59,18 @@
                     "description": "The location where the resource group and the export to Log Analytics workspace configuration are created."
                 }
             },
+            "createResourceGroup":{
+                "type": "Boolean",
+                "metadata": {
+                    "displayName": "Create resource group",
+                    "description": "If a resource group does not exists in the scope, a new resource group will be created. If the resource group exists and this flag is set to 'true' the policy will re-deploy the resource group. Please note this will reset any Azure Tag on the resource group."
+                },
+                "defaultValue": true,
+                "allowedValues": [
+                    true,
+                    false
+                ]
+            },
             "enableAscForCosmosDbs": {
                 "type": "String",
                 "allowedValues": [
@@ -386,6 +398,9 @@
                     "resourceGroupLocation": {
                         "value": "[[parameters('ascExportResourceGroupLocation')]"
                     },
+                    "createResourceGroup": {
+                        "value": "[[parameters('createResourceGroup')]"
+                    },
                     "workspaceResourceId": {
                         "value": "[[parameters('logAnalytics')]"
                     }