Skip to content

Commit

Permalink
Updated ALZ assignments (#198)
Browse files Browse the repository at this point in the history
  • Loading branch information
@anwather
anwather authored Apr 20, 2023
1 parent 795d1fa commit c967ec6
Show file tree
Hide file tree
Showing 7 changed files with 218 additions and 29 deletions.
3 changes: 3 additions & 0 deletions Docs/integrating-with-alz.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -178,6 +178,9 @@ Carefully review the proposed changes before deploying them. It is best to make
!!! note
Assignments deployed via the ALZ accelerators are kept in sync with the EnterprisePolicyAsCode module so ensure you have the latest PowerShell module installed before running `Sync-CAFPolicies`

!!! tip
Rename or copy the default CAF assignment files - when you do a sync it makes it easier to compare changes.

## Keeping up to date with GitHub Actions

There is a GitHub action workflow which executes the above script. The process for configuring it is below.
Expand Down
2 changes: 1 addition & 1 deletion Module/EnterprisePolicyAsCode/EnterprisePolicyAsCode.psd1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
RootModule = 'EnterprisePolicyAsCode.psm1'

# Version number of this module.
ModuleVersion = '7.1.0'
ModuleVersion = '7.1.1'

# ID used to uniquely identify this module
GUID = '197a34e5-115d-4c15-a593-b004228be78b'
Expand Down
119 changes: 95 additions & 24 deletions Scripts/CloudAdoptionFramework/policyAssignments/CAF-CorpMG-Default.jsonc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,46 +89,117 @@
"azureServiceBusNamespacePrivateDnsZoneId": "--DNSZonePrefix--privatelink.servicebus.windows.net')]",
"azureCognitiveSearchPrivateDnsZoneId": "--DNSZonePrefix--privatelink.search.windows.net')]"
}
}
]
},
{
"nodeName": "Databricks/",
"children": [
},
{
"nodeName": "NoDBPIP",
"nodeName": "NOPublicIP",
"assignment": {
"name": "Deny-DataB-Pip",
"displayName": "Prevent usage of Databricks with public IP",
"description": "Prevent the deployment of Databricks workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs."
"name": "Deny-Public-IP-On-NIC",
"description": "This policy denies network interfaces from having a public IP associated to it under the assigned scope.",
"displayName": "Deny network interfaces having a public IP associated"
},
"definitionEntry": {
"policyName": "Deny-Databricks-NoPublicIp",
"friendlyNameToDocumentIfGuid": "Deny Databricks with Public Ip"
"policyId": "/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114"
}
},
{
"nodeName": "DbPremium",
"nodeName": "DenyNetworking",
"assignment": {
"name": "Deny-DataB-Sku",
"displayName": "Enforces the use of Premium Databricks workspaces",
"description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD."
"name": "Deny-HybridNetworking",
"description": "Denies deployment of vWAN/ER/VPN gateway resources in the Corp landing zone.",
"displayName": "Deny the deployment of vWAN/ER/VPN gateway resources"
},
"definitionEntry": {
"policyName": "Deny-Databricks-Sku",
"friendlyNameToDocumentIfGuid": "Deny Databricks Sku"
"policyId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749"
},
"parameters": {
"listOfResourceTypesNotAllowed": [
"microsoft.network/expressroutecircuits",
"microsoft.network/expressroutegateways",
"microsoft.network/expressrouteports",
"microsoft.network/virtualwans",
"microsoft.network/vpngateways",
"microsoft.network/p2svpngateways",
"microsoft.network/vpnsites",
"microsoft.network/virtualnetworkgateways"
]
}
},
{
"nodeName": "DbVnet",
"nodeName": "PLink",
"assignment": {
"name": "Deny-DataB-Vnet",
"displayName": "Enforces the use of vnet injection for Databricks",
"description": "Enforces the use of vnet injection for Databricks workspaces."
"name": "Audit-PeDnsZones",
"description": "Audits the deployment of Private Link Private DNS Zone resources in the Corp landing zone.",
"displayName": "Audit Private Link Private DNS Zone resources"
},
"definitionEntry": {
"policyName": "Deny-Databricks-VirtualNetwork",
"friendlyNameToDocumentIfGuid": "Deny Databricks Virtual Network"
"policyName": "Audit-PrivateLinkDnsZones"
},
"parameters": {
"privateLinkDnsZones": [
"privatelink.adf.azure.com",
"privatelink.afs.azure.net",
"privatelink.agentsvc.azure-automation.net",
"privatelink.analysis.windows.net",
"privatelink.api.azureml.ms",
"privatelink.azconfig.io",
"privatelink.azure-api.net",
"privatelink.azure-automation.net",
"privatelink.azurecr.io",
"privatelink.azure-devices.net",
"privatelink.azure-devices-provisioning.net",
"privatelink.azurehdinsight.net",
"privatelink.azurehealthcareapis.com",
"privatelink.azurestaticapps.net",
"privatelink.azuresynapse.net",
"privatelink.azurewebsites.net",
"privatelink.batch.azure.com",
"privatelink.blob.core.windows.net",
"privatelink.cassandra.cosmos.azure.com",
"privatelink.cognitiveservices.azure.com",
"privatelink.database.windows.net",
"privatelink.datafactory.azure.net",
"privatelink.dev.azuresynapse.net",
"privatelink.dfs.core.windows.net",
"privatelink.dicom.azurehealthcareapis.com",
"privatelink.digitaltwins.azure.net",
"privatelink.directline.botframework.com",
"privatelink.documents.azure.com",
"privatelink.eventgrid.azure.net",
"privatelink.file.core.windows.net",
"privatelink.gremlin.cosmos.azure.com",
"privatelink.guestconfiguration.azure.com",
"privatelink.his.arc.azure.com",
"privatelink.kubernetesconfiguration.azure.com",
"privatelink.managedhsm.azure.net",
"privatelink.mariadb.database.azure.com",
"privatelink.media.azure.net",
"privatelink.mongo.cosmos.azure.com",
"privatelink.monitor.azure.com",
"privatelink.mysql.database.azure.com",
"privatelink.notebooks.azure.net",
"privatelink.ods.opinsights.azure.com",
"privatelink.oms.opinsights.azure.com",
"privatelink.pbidedicated.windows.net",
"privatelink.postgres.database.azure.com",
"privatelink.prod.migration.windowsazure.com",
"privatelink.purview.azure.com",
"privatelink.purviewstudio.azure.com",
"privatelink.queue.core.windows.net",
"privatelink.redis.cache.windows.net",
"privatelink.redisenterprise.cache.azure.net",
"privatelink.search.windows.net",
"privatelink.service.signalr.net",
"privatelink.servicebus.windows.net",
"privatelink.siterecovery.windowsazure.com",
"privatelink.sql.azuresynapse.net",
"privatelink.table.core.windows.net",
"privatelink.table.cosmos.azure.com",
"privatelink.tip1.powerquery.microsoft.com",
"privatelink.token.botframework.com",
"privatelink.vaultcore.azure.net",
"privatelink.web.core.windows.net",
"privatelink.webpubsub.azure.com"
]
}
}
]
Expand Down
37 changes: 37 additions & 0 deletions Scripts/CloudAdoptionFramework/policyAssignments/CAF-Decommissioned-Default.jsonc
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
{
"nodeName": "/Decommissioned/",
"scope": {
"tenant1": [
"/providers/Microsoft.Management/managementGroups/decommissioned"
]
},
"children": [
{
"nodeName": "Guardrails",
"assignment": {
"name": "Enforce-ALZ-Decomm",
"displayName": "Enforce ALZ Decommissioned Guardrails",
"description": "This initiative will help enforce and govern subscriptions that are placed within the decommissioned Management Group as part of your Subscription decommissioning process. See https://aka.ms/alz/policies for more information."
},
"definitionEntry": {
"policySetName": "Enforce-ALZ-Decomm"
},
"parameters": {
"listOfResourceTypesAllowed": [
"microsoft.consumption/tags",
"microsoft.authorization/roleassignments",
"microsoft.authorization/roledefinitions",
"microsoft.authorization/policyassignments",
"microsoft.authorization/locks",
"microsoft.authorization/policydefinitions",
"microsoft.authorization/policysetdefinitions",
"microsoft.resources/tags",
"microsoft.authorization/roleeligibilityschedules",
"microsoft.authorization/roleeligibilityscheduleinstances",
"microsoft.authorization/roleassignmentschedules",
"microsoft.authorization/roleassignmentscheduleinstances"
]
}
}
]
}
38 changes: 34 additions & 4 deletions Scripts/CloudAdoptionFramework/policyAssignments/CAF-LandingZonesMG.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@
"/providers/Microsoft.Management/managementGroups/landingzones"
]
},
"parameters": {
"logAnalyticsWorkspaceId": ""
},
"children": [
{
"nodeName": "AKS/",
Expand Down Expand Up @@ -139,12 +142,12 @@
{
"nodeName": "Auditing",
"assignment": {
"name": "Deploy-SQL-DB-Auditing",
"displayName": "Auditing on SQL server should be enabled",
"description": "Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log."
"name": "Deploy-AzSqlDb-Auditing",
"description": "To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. If auditing is not enabled, this policy will configure auditing events to flow to the specified Log Analytics workspace.",
"displayName": "Configure SQL servers to have auditing enabled to Log Analytics workspace"
},
"definitionEntry": {
"policyName": "a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
"policyId": "/providers/Microsoft.Authorization/policyDefinitions/25da7dfb-0666-4a15-a8f5-402127efd8bb",
"friendlyNameToDocumentIfGuid": "Deploy SQL DB Auditing"
}
}
Expand Down Expand Up @@ -193,6 +196,33 @@
"policyName": "36d49e87-48c4-4f2e-beed-ba4ed02b71f5",
"friendlyNameToDocumentIfGuid": "Deploy SQL Threat Detection"
}
},
{
"nodeName": "ACSB",
"assignment": {
"name": "Enforce-ACSB",
"description": "This initiative assignment enables Azure Compute Security Baseline compliance auditing for Windows and Linux virtual machines.",
"displayName": "Enforce Azure Compute Security Baseline compliance auditing"
},
"definitionEntry": {
"policySetName": "Enforce-ACSB"
}
}
]
},
{
"nodeName": "KeyVault/",
"children": [
{
"nodeName": "KeyVault",
"assignment": {
"name": "Enforce-GR-KeyVault",
"description": "This initiative assignment enables recommended ALZ guardrails for Azure Key Vault.",
"displayName": "Enforce recommended guardrails for Azure Key Vault"
},
"definitionEntry": {
"policySetName": "Enforce-Guardrails-KeyVault"
}
}
]
}
Expand Down
17 changes: 17 additions & 0 deletions Scripts/CloudAdoptionFramework/policyAssignments/CAF-RootMG-Default.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,23 @@
"enableAscForOssDb": "Disabled",
"enableAscForCosmosDbs": "Disabled"
}
},
{
"nodeName": "MDE",
"assignment": {
"name": "Deploy-MDEndpoints",
"displayName": "[Preview]: Deploy Microsoft Defender for Endpoint agent",
"description": "Deploy Microsoft Defender for Endpoint agent on applicable images."
},
"definitionEntry": {
"policySetName": "e20d08c5-6d64-656d-6465-ce9e37fd0ebc"
},
"parameters": {
"microsoftDefenderForEndpointWindowsVmAgentDeployEffect": "DeployIfNotExists",
"microsoftDefenderForEndpointLinuxVmAgentDeployEffect": "DeployIfNotExists",
"microsoftDefenderForEndpointWindowsArcAgentDeployEffect": "DeployIfNotExists",
"microsoftDefenderForEndpointLinuxArcAgentDeployEffect": "DeployIfNotExists"
}
}
]
},
Expand Down
31 changes: 31 additions & 0 deletions Scripts/CloudAdoptionFramework/policyAssignments/CAF-Sandbox-Default.jsonc
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
{
"nodeName": "/Sandbox/",
"scope": {
"tenant1": [
"/providers/Microsoft.Management/managementGroups/sandbox"
]
},
"children": [
{
"nodeName": "Guardrails",
"assignment": {
"name": "Enforce-ALZ-Sandbox",
"displayName": "Enforce ALZ Sandbox Guardrails",
"description": "This initiative will help enforce and govern subscriptions that are placed within the Sandobx Management Group. See https://aka.ms/alz/policies for more information."
},
"definitionEntry": {
"policySetName": "Enforce-ALZ-Sandbox"
},
"parameters": {
"listOfResourceTypesNotAllowed": [
"microsoft.network/expressroutecircuits",
"microsoft.network/expressroutegateways",
"microsoft.network/virtualwans",
"microsoft.network/virtualhubs",
"microsoft.network/vpngateways",
"microsoft.network/vpnsites"
]
}
}
]
}

0 comments on commit c967ec6

Please sign in to comment.