Skip to content

Commit

Permalink
Merge branch 'main' into FixPolicyDocs
Browse files Browse the repository at this point in the history
  • Loading branch information
@jtracey93
jtracey93 authored Mar 4, 2024
2 parents 56036a6 + 2281ffd commit a8c94f6
Show file tree
Hide file tree
Showing 6 changed files with 6,172 additions and 9 deletions.
4 changes: 4 additions & 0 deletions docs/wiki/Whats-new.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,10 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:

- Added new AMA Policies and Initiatives to [ALZ Policies](./ALZ-Policies) documentation.

#### Tooling

- Add new Regulatory Compliance Policy Assignment flexibility feature

### February 2024

#### Tooling
Expand Down
1,543 changes: 1,541 additions & 2 deletions eslzArm/eslz-portal.json
View file

Large diffs are not rendered by default.

275 changes: 272 additions & 3 deletions eslzArm/eslzArm.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -832,6 +832,129 @@
"metadata": {
"description": "Name of the resource group to be created for the User Assigned Managed Identity in each subscription."
}
},
"regulatoryComplianceInitativesToAssign": {
"type": "array",
"defaultValue": [],
"metadata": {
"description": "Array of objects containing built-in Regulatory Compliance policies to assign to sepcfied Management Groups"
}
},
"regCompPolParAusGovIsmRestrictedVmAdminsExclude": {
"type": "string",
"defaultValue": ""
},
"regCompPolParAusGovIsmRestrictedResourceTypes": {
"type": "string",
"defaultValue": "all"
},
"regCompPolParMPAACertificateThumb": {
"type": "string",
"defaultValue": ""
},
"regCompPolParMPAAApplicationName": {
"type": "string",
"defaultValue": ""
},
"regCompPolParMPAAStoragePrefix": {
"type": "string",
"defaultValue": ""
},
"regCompPolParMPAAResGroupPrefix": {
"type": "string",
"defaultValue": ""
},
"regCompPolParMPAARBatchMetricName": {
"type": "string",
"defaultValue": ""
},
"regCompPolParSovBaseConfRegions": {
"type": "array",
"defaultValue": []
},
"regCompPolParSovBaseGlobalRegions": {
"type": "array",
"defaultValue": []
},
"regCompPolParSwift2020VmAdminsInclude": {
"type": "string",
"defaultValue": ""
},
"regCompPolParSwift2020DomainFqdn": {
"type": "string",
"defaultValue": ""
},
"regCompPolParCanadaFedPbmmVmAdminsInclude": {
"type": "string",
"defaultValue": ""
},
"regCompPolParCanadaFedPbmmVmAdminsExclude": {
"type": "string",
"defaultValue": ""
},
"regCompPolParCisV2KeyVaultKeysRotateDays": {
"type": "int",
"defaultValue": 90
},
"regCompPolParCmmcL3VmAdminsInclude": {
"type": "string",
"defaultValue": ""
},
"regCompPolParCmmcL3VmAdminsExclude": {
"type": "string",
"defaultValue": ""
},
"regCompPolParHitrustHipaaApplicationName": {
"type": "string",
"defaultValue": ""
},
"regCompPolParHitrustHipaaStoragePrefix": {
"type": "string",
"defaultValue": ""
},
"regCompPolParHitrustHipaaResGroupPrefix": {
"type": "string",
"defaultValue": ""
},
"regCompPolParHitrustHipaaCertificateThumb": {
"type": "string",
"defaultValue": ""
},
"regCompPolParIrs1075Sep2016VmAdminsExclude": {
"type": "string",
"defaultValue": ""
},
"regCompPolParIrs1075Sep2016VmAdminsInclude": {
"type": "string",
"defaultValue": ""
},
"regCompPolParNZIsmRestrictedVmAdminsInclude": {
"type": "string",
"defaultValue": ""
},
"regCompPolParNZIsmRestrictedVmAdminsExclude": {
"type": "string",
"defaultValue": ""
},
"regCompPolParNistSp800171R2VmAdminsExclude": {
"type": "string",
"defaultValue": ""
},
"regCompPolParNistSp800171R2VmAdminsInclude": {
"type": "string",
"defaultValue": ""
},
"regCompPolParSoc2Type2AllowedRegistries": {
"type": "string",
"defaultValue": "^[^\\/]+\\.azurecr\\.io\\/.+$"
},
"regCompPolParSoc2Type2MaxCpuUnits": {
"type": "string",
"defaultValue": "200m"
},
"regCompPolParSoc2Type2MaxMemoryBytes": {
"type": "string",
"defaultValue": "1Gi"
}
},
"variables": {
Expand Down Expand Up @@ -869,7 +992,7 @@
"input": "[items(variables('mgmtGroupsLite'))[copyIndex('mgmtGroupsESLiteArray')].value]"
}
],

// Declaring scopes that will be used for optional deployments, such as platform components (monitoring, networking, identity), policy assignments, subscription placement etc.
"scopes": {
"eslzRootManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').eslzRoot)]",
Expand Down Expand Up @@ -910,6 +1033,7 @@
"logAnalyticsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json')]",
"monitoringSolutions": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/logAnalyticsSolutions.json')]",
"asbPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json')]",
"regulatoryComplianceInitaitves": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-RegulatoryCompliancePolicyAssignment.json')]",
"resourceDiagnosticsInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json')]",
"activityDiagnosticsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json')]",
"mdfcConfigPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-MDFCConfigPolicyAssignment.json')]",
Expand Down Expand Up @@ -991,6 +1115,7 @@
"monitorServiceHealthDeploymentName": "[take(concat('alz-SvcHealthMonitor', variables('deploymentSuffix')), 64)]",
"monitoringSolutionsDeploymentName": "[take(concat('alz-Solutions', variables('deploymentSuffix')), 64)]",
"asbPolicyDeploymentName": "[take(concat('alz-ASB', variables('deploymentSuffix')), 64)]",
"regulatoryComplianceInitativesToAssignDeploymentName": "[take(concat('alz-RegComp-', deployment().location, '-', uniqueString(parameters('currentDateTimeUtcNow')), '-'), 64)]",
"resourceDiagnosticsPolicyDeploymentName": "[take(concat('alz-ResourceDiagnostics', variables('deploymentSuffix')), 64)]",
"activityDiagnosticsPolicyDeploymentName": "[take(concat('alz-ActivityDiagnostics', variables('deploymentSuffix')), 64)]",
"ascPolicyDeploymentName": "[take(concat('alz-ASC', variables('deploymentSuffix')), 64)]",
Expand Down Expand Up @@ -1920,6 +2045,150 @@
"parameters": {}
}
},
{
// Assigning Regulatory Compliance polices to desired management groups if condition is true
"condition": "[not(empty(parameters('regulatoryComplianceInitativesToAssign')))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "[take(concat(variables('deploymentNames').regulatoryComplianceInitativesToAssignDeploymentName, if(contains(parameters('regulatoryComplianceInitativesToAssign')[copyIndex()].mg, '-'), split(parameters('regulatoryComplianceInitativesToAssign')[copyIndex()].mg, '-')[1], parameters('regulatoryComplianceInitativesToAssign')[copyIndex()].mg), '-', uniqueString(parameters('regulatoryComplianceInitativesToAssign')[copyIndex()].mg, parameters('regulatoryComplianceInitativesToAssign')[copyIndex()].policy.id)), 64)]",
"scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('regulatoryComplianceInitativesToAssign')[copyIndex()].mg, 'contoso', parameters('enterpriseScaleCompanyPrefix')))]",
"location": "[deployment().location]",
"dependsOn": [
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]",
"corpConnectedMoveLzs"
],
"copy": {
"name": "regCompAssignments",
"count": "[length(parameters('regulatoryComplianceInitativesToAssign'))]"
},
"properties": {
"mode": "Incremental",
"templateLink": {
"contentVersion": "1.0.0.0",
"uri": "[variables('deploymentUris').regulatoryComplianceInitaitves]"
},
"parameters": {
"topLevelManagementGroupPrefix": {
"value": "[parameters('enterpriseScaleCompanyPrefix')]"
},
"policySetDefinitionId": {
"value": "[parameters('regulatoryComplianceInitativesToAssign')[copyIndex()].policy.id]"
},
"policySetDefinitionDisplayName": {
"value": "[parameters('regulatoryComplianceInitativesToAssign')[copyIndex()].policy.displayName]"
},
"policySetDefinitionDescription": {
"value": "[parameters('regulatoryComplianceInitativesToAssign')[copyIndex()].policy.description]"
},
"policyAssignmentName": {
"value": "[take(concat('Enforce-RegComp-',uniqueString(replace(parameters('regulatoryComplianceInitativesToAssign')[copyIndex()].mg, 'contoso', parameters('enterpriseScaleCompanyPrefix')), parameters('regulatoryComplianceInitativesToAssign')[copyIndex()].policy.id)), 24)]"
},
"logAnalyticsWorkspaceId": {
"value": "[variables('platformResourceIds').logAnalyticsResourceId]"
},
"regCompPolParAusGovIsmRestrictedVmAdminsExclude": {
"value": "[parameters('regCompPolParAusGovIsmRestrictedVmAdminsExclude')]"
},
"regCompPolParAusGovIsmRestrictedResourceTypes": {
"value": "[parameters('regCompPolParAusGovIsmRestrictedResourceTypes')]"
},
"regCompPolParMPAACertificateThumb": {
"value": "[parameters('regCompPolParMPAACertificateThumb')]"
},
"regCompPolParMPAAApplicationName": {
"value": "[parameters('regCompPolParMPAAApplicationName')]"
},
"regCompPolParMPAAStoragePrefix": {
"value": "[parameters('regCompPolParMPAAStoragePrefix')]"
},
"regCompPolParMPAAResGroupPrefix": {
"value": "[parameters('regCompPolParMPAAResGroupPrefix')]"
},
"regCompPolParMPAARBatchMetricName": {
"value": "[parameters('regCompPolParMPAARBatchMetricName')]"
},
"regCompPolParSovBaseConfRegions": {
"value": "[parameters('regCompPolParSovBaseConfRegions')]"
},
"regCompPolParSovBaseGlobalRegions": {
"value": "[parameters('regCompPolParSovBaseGlobalRegions')]"
},
"regCompPolParSwift2020VmAdminsInclude": {
"value": "[parameters('regCompPolParSwift2020VmAdminsInclude')]"
},
"regCompPolParSwift2020DomainFqdn": {
"value": "[parameters('regCompPolParSwift2020DomainFqdn')]"
},
"regCompPolParCanadaFedPbmmVmAdminsInclude": {
"value": "[parameters('regCompPolParCanadaFedPbmmVmAdminsInclude')]"
},
"regCompPolParCanadaFedPbmmVmAdminsExclude": {
"value": "[parameters('regCompPolParCanadaFedPbmmVmAdminsExclude')]"
},
"regCompPolParCisV2KeyVaultKeysRotateDays": {
"value": "[parameters('regCompPolParCisV2KeyVaultKeysRotateDays')]"
},
"regCompPolParCmmcL3VmAdminsInclude": {
"value": "[parameters('regCompPolParCmmcL3VmAdminsInclude')]"
},
"regCompPolParCmmcL3VmAdminsExclude": {
"value": "[parameters('regCompPolParCmmcL3VmAdminsExclude')]"
},
"regCompPolParHitrustHipaaApplicationName": {
"value": "[parameters('regCompPolParHitrustHipaaApplicationName')]"
},
"regCompPolParHitrustHipaaStoragePrefix": {
"value": "[parameters('regCompPolParHitrustHipaaStoragePrefix')]"
},
"regCompPolParHitrustHipaaResGroupPrefix": {
"value": "[parameters('regCompPolParHitrustHipaaResGroupPrefix')]"
},
"regCompPolParHitrustHipaaCertificateThumb": {
"value": "[parameters('regCompPolParHitrustHipaaCertificateThumb')]"
},
"regCompPolParIrs1075Sep2016VmAdminsExclude": {
"value": "[parameters('regCompPolParIrs1075Sep2016VmAdminsExclude')]"
},
"regCompPolParIrs1075Sep2016VmAdminsInclude": {
"value": "[parameters('regCompPolParIrs1075Sep2016VmAdminsInclude')]"
},
"regCompPolParNZIsmRestrictedVmAdminsInclude": {
"value": "[parameters('regCompPolParNZIsmRestrictedVmAdminsInclude')]"
},
"regCompPolParNZIsmRestrictedVmAdminsExclude": {
"value": "[parameters('regCompPolParNZIsmRestrictedVmAdminsExclude')]"
},
"regCompPolParNistSp800171R2VmAdminsExclude": {
"value": "[parameters('regCompPolParNistSp800171R2VmAdminsExclude')]"
},
"regCompPolParNistSp800171R2VmAdminsInclude": {
"value": "[parameters('regCompPolParNistSp800171R2VmAdminsInclude')]"
},
"regCompPolParSoc2Type2AllowedRegistries": {
"value": "[parameters('regCompPolParSoc2Type2AllowedRegistries')]"
},
"regCompPolParSoc2Type2MaxCpuUnits": {
"value": "[parameters('regCompPolParSoc2Type2MaxCpuUnits')]"
},
"regCompPolParSoc2Type2MaxMemoryBytes": {
"value": "[parameters('regCompPolParSoc2Type2MaxMemoryBytes')]"
}
}
}
},
{
// Assigning Azure Monitor Resource Diagnostics policy to intermediate root management group if condition is true
"condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'))]",
Expand Down Expand Up @@ -2025,7 +2294,7 @@
}
}
}
},
},
{
// Assigning Audit resource location matches resource group location policy to intermediate root management group
"condition": "[or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId'))))]",
Expand All @@ -2049,7 +2318,7 @@
}
}
}
},
},
{
// Assigning Azure Security Center configuration policy initiative to intermediate root management group if condition is true
"condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableAsc'), 'Yes'), equals(environment().resourceManager, 'https://management.azure.com/'))]",
Expand Down
Loading

0 comments on commit a8c94f6

Please sign in to comment.