Skip to content

Commit

Permalink
Remove duplicate assignment and portal option for Azure Policy Add-on… (
Browse files Browse the repository at this point in the history 
#1710)
  • Loading branch information
@Springstone
Springstone authored Jul 22, 2024
1 parent a15b193 commit eba566c
Show file tree
Hide file tree
Showing 6 changed files with 6 additions and 166 deletions.
3 changes: 1 addition & 2 deletions docs/wiki/ALZ-Policies.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -224,7 +224,7 @@ This is the parent management group for all the landing zone child management gr
| **Policy Type** | **Count** |
| :--- | :---: |
| `Policy Definition Sets` | **13** |
| `Policy Definitions` | **15** |
| `Policy Definitions` | **14** |
</td></tr> </table>

The table below provides the specific **Custom** and **Built-in** **policy definitions** and **policy definitions sets** assigned at the **Landing Zones Management Group**.
Expand All @@ -239,7 +239,6 @@ The table below provides the specific **Custom** and **Built-in** **policy defin
| **Subnets should have a Network Security Group** | **Subnets should have a Network Security Group** | `Policy Definition`, **Custom** | This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level. | Deny |
| **Network interfaces should disable IP forwarding** | **Network interfaces should disable IP forwarding** | `Policy Definition`, **Built-in** | This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. | Deny |
| **Secure transfer to storage accounts should be enabled** | **Secure transfer to storage accounts should be enabled** | `Policy Definition`, **Built-in** | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit |
| **Deploy Azure Policy Add-on to Azure Kubernetes Service clusters** | **Deploy Azure Policy Add-on to Azure Kubernetes Service clusters** | `Policy Definition`, **Built-in** | Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. | DeployIfNotExists |
| **Configure SQL servers to have auditing enabled to Log Analytics workspace** | **Configure SQL servers to have auditing enabled to Log Analytics workspace** | `Policy Definition`, **Built-in** | To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. If auditing is not enabled, this policy will configure auditing events to flow to the specified Log Analytics workspace. | DeployIfNotExists |
| **Deploy Threat Detection on SQL servers** | **Configure Azure Defender to be enabled on SQL servers** | `Policy Definition`, **Built-in** | Enable Azure Defender on your Azure SQL Servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | DeployIfNotExists |
| **Deploy TDE on SQL servers** | **Deploy TDE on SQL servers** | `Policy Definition`, **Built-in** | This policy ensures that Transparent Data Encryption is enabled on SQL Servers | DeployIfNotExists |
Expand Down
4 changes: 4 additions & 0 deletions docs/wiki/Whats-new.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,10 @@ This article will be updated as and when changes are made to the above and anyth

Here's what's changed in Enterprise Scale/Azure Landing Zones:

### 🔃 Policy Refresh Q1 FY25

- Removed duplicate assignment and portal option of [Deploy Azure Policy Add-on to Azure Kubernetes Service clusters](https://www.azadvertizer.net/azpolicyadvertizer/a8eff44f-8c92-45c3-a3fb-9880802d67a7.html) at Landing Zones scope, as this policy is assigned in the initiative [Deploy Microsoft Defender for Cloud configuration](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) at Intermediate Root scope.

### June 2024

#### Documentation
Expand Down
Binary file modified docs/wiki/media/ALZ Policy Assignments v2.xlsx
View file
Binary file not shown.
47 changes: 1 addition & 46 deletions eslzArm/eslz-portal.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -831,26 +831,6 @@
]
}
},
{
"name": "enableAscForDns",
"type": "Microsoft.Common.OptionsGroup",
"label": "Enable Microsoft Defender for Cloud for DNS",
"defaultValue": "Yes (recommended)",
"toolTip": "If 'Yes' is selected, Microsoft Defender for Cloud will be enabled for DNS.<br>Uses the custom initiative <a href=\"https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config.html\">Deploy Microsoft Defender for Cloud configuration</a>.",
"visible": "[and(equals(steps('management').enableAsc,'Yes'), or(equals(steps('basics').cloudEnvironment.selection, 'AzureCloud'), equals(steps('basics').cloudEnvironment.selection, 'AzureUSGovernment')))]",
"constraints": {
"allowedValues": [
{
"label": "Yes (recommended)",
"value": "DeployIfNotExists"
},
{
"label": "No",
"value": "Disabled"
}
]
}
},
{
"name": "enableAscForContainers",
"type": "Microsoft.Common.OptionsGroup",
Expand Down Expand Up @@ -3966,7 +3946,7 @@
"type": "Microsoft.Common.OptionsGroup",
"label": "Assign recommended policies to govern identity and domain controllers",
"defaultValue": "Yes (recommended)",
"toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, Azure Policy will be assigned at the scope to govern your identity resources.",
"toolTip": "If 'Yes' is selected when also adding a subscription for identity, Azure Policy will be assigned at the scope to govern your identity resources.",
"constraints": {
"allowedValues": [
{
Expand Down Expand Up @@ -4374,30 +4354,6 @@
},
"visible": "[equals(steps('management').enableLogAnalytics,'Yes')]"
},
{
"name": "enableAksPolicy",
"type": "Microsoft.Common.OptionsGroup",
"label": "Enable Kubernetes (AKS) for Azure Policy",
"defaultValue": "Yes (recommended)",
"toolTip": "If 'Yes' is selected the Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters will be enabled.<br>Uses the policy <a href=\"https://www.azadvertizer.net/azpolicyadvertizer/a8eff44f-8c92-45c3-a3fb-9880802d67a7.html\">Deploy Azure Policy Add-on to Azure Kubernetes Service clusters</a>.",
"constraints": {
"allowedValues": [
{
"label": "Yes (recommended)",
"value": "Yes"
},
{
"label": "Audit only",
"value": "Audit"
},
{
"label": "No",
"value": "No"
}
]
},
"visible": true
},
{
"name": "denyAksPrivileged",
"type": "Microsoft.Common.OptionsGroup",
Expand Down Expand Up @@ -9073,7 +9029,6 @@
"enableVmMonitoring": "[steps('landingZones').lzSection.enableVmMonitoring]",
"enableVmssMonitoring": "[steps('landingZones').lzSection.enableVmssMonitoring]",
"enableVmHybridMonitoring": "[steps('landingZones').lzSection.enableVmHybridMonitoring]",
"enableAksPolicy": "[steps('landingZones').lzSection.enableAksPolicy]",
"denyAksPrivileged": "[steps('landingZones').lzSection.denyAksPrivileged]",
"denyAksPrivilegedEscalation": "[steps('landingZones').lzSection.denyAksPrivilegedEscalation]",
"denyHttpIngressForAks": "[steps('landingZones').lzSection.denyHttpIngressForAks]",
Expand Down
38 changes: 0 additions & 38 deletions eslzArm/eslzArm.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -771,15 +771,6 @@
"description": "If 'Yes' is selected, policy will be assigned to enforce Hybrid VM monitoring."
}
},
"enableAksPolicy": {
"type": "string",
"defaultValue": "No",
"allowedValues": [
"Yes",
"Audit",
"No"
]
},
"denyAksPrivileged": {
"type": "string",
"defaultValue": "No",
Expand Down Expand Up @@ -1610,7 +1601,6 @@
"azVmssMonitorPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json')]",
"azVmHybridMonitorPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMHybridMonitoringPolicyAssignment.json')]",
"azVmBackupPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMBackupPolicyAssignment.json')]",
"azPolicyForAksPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-AksPolicyPolicyAssignment.json')]",
"aksPrivEscalationPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json')]",
"aksPrivilegedPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json')]",
"tlsSslPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json')]",
Expand Down Expand Up @@ -1735,7 +1725,6 @@
"azVmHybridMonitorPolicyDeploymentName": "[take(concat('alz-AzVmHybridMonitor', variables('deploymentSuffix')), 64)]",
"azBackupLzPolicyDeploymentName": "[take(concat('alz-AzBackupLz', variables('deploymentSuffix')), 64)]",
"azBackupIdentityPolicyDeploymentName": "[take(concat('alz-AzBackupIdentity', variables('deploymentSuffix')), 64)]",
"azPolicyForAksPolicyDeploymentName": "[take(concat('alz-AksPolicy', variables('deploymentSuffix')), 64)]",
"aksPrivEscalationPolicyDeploymentName": "[take(concat('alz-AksPrivEsc', variables('deploymentSuffix')), 64)]",
"aksHttpsPolicyDeploymentName": "[take(concat('alz-AksHttps', variables('deploymentSuffix')), 64)]",
"aksPrivilegedPolicyDeploymentName": "[take(concat('alz-AksPrivileged', variables('deploymentSuffix')), 64)]",
Expand Down Expand Up @@ -6236,33 +6225,6 @@
}
}
},
{
// Assigning Azure Policy enablement policy for AKS to landing zones management group if condition is true
"condition": "[or(equals(parameters('enableAksPolicy'), 'Yes'), equals(parameters('enableAksPolicy'), 'Audit'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "[variables('deploymentNames').azPolicyForAksPolicyDeploymentName]",
"scope": "[variables('scopes').lzsManagementGroup]",
"location": "[deployment().location]",
"dependsOn": [
"policyCompletion"
],
"properties": {
"mode": "Incremental",
"templateLink": {
"contentVersion": "1.0.0.0",
"uri": "[variables('deploymentUris').azPolicyForAksPolicyAssignment]"
},
"parameters": {
"topLevelManagementGroupPrefix": {
"value": "[parameters('enterpriseScaleCompanyPrefix')]"
},
"enforcementMode": {
"value": "[if(equals(parameters('enableaksPolicy'), 'Yes'), 'Default', 'DoNotEnforce')]"
}
}
}
},
{
// Assigning Aks Priv Escalation policy to landing zones management group if condition is true
"condition": "[or(equals(parameters('denyAksPrivilegedEscalation'), 'Yes'), equals(parameters('denyAksPrivilegedEscalation'), 'Audit'))]",
Expand Down
80 changes: 0 additions & 80 deletions eslzArm/managementGroupTemplates/policyAssignments/DINE-AksPolicyPolicyAssignment.json
View file

This file was deleted.

0 comments on commit eba566c

Please sign in to comment.