Add Regulatory Compliance Policy Assignment Flexibility Feature

docs/wiki/Whats-new.md

@@ -47,6 +47,10 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
 
 - Added new AMA Policies and Initiatives to [ALZ Policies](./ALZ-Policies) documentation.
 
+#### Tooling
+
+- Add new Regulatory Compliance Policy Assignment flexibility feature
+
 ### February 2024
 
 #### Tooling

eslzArm/eslzArm.json

@@ -832,6 +832,129 @@
             "metadata": {
                 "description": "Name of the resource group to be created for the User Assigned Managed Identity in each subscription."
             }
+        },
+        "regulatoryComplianceInitativesToAssign": {
+            "type": "array",
+            "defaultValue": [],
+            "metadata": {
+                "description": "Array of objects containing built-in Regulatory Compliance policies to assign to sepcfied Management Groups"
+            }
+        },
+        "regCompPolParAusGovIsmRestrictedVmAdminsExclude": {
+            "type": "string",
+            "defaultValue": ""
+        },
+        "regCompPolParAusGovIsmRestrictedResourceTypes": {
+            "type": "string",
+            "defaultValue": "all"
+        },
+        "regCompPolParMPAACertificateThumb": {
+            "type": "string",
+            "defaultValue": ""
+        },
+        "regCompPolParMPAAApplicationName": {
+            "type": "string",
+            "defaultValue": ""
+        },
+        "regCompPolParMPAAStoragePrefix": {
+            "type": "string",
+            "defaultValue": ""
+        },
+        "regCompPolParMPAAResGroupPrefix": {
+            "type": "string",
+            "defaultValue": ""
+        },
+        "regCompPolParMPAARBatchMetricName": {
+            "type": "string",
+            "defaultValue": ""
+        },
+        "regCompPolParSovBaseConfRegions": {
+            "type": "array",
+            "defaultValue": []
+        },
+        "regCompPolParSovBaseGlobalRegions": {
+            "type": "array",
+            "defaultValue": []
+        },
+        "regCompPolParSwift2020VmAdminsInclude": {
+            "type": "string",
+            "defaultValue": ""
+        },
+        "regCompPolParSwift2020DomainFqdn": {
+            "type": "string",
+            "defaultValue": ""
+        },
+        "regCompPolParCanadaFedPbmmVmAdminsInclude": {
+            "type": "string",
+            "defaultValue": ""
+        },
+        "regCompPolParCanadaFedPbmmVmAdminsExclude": {
+            "type": "string",
+            "defaultValue": ""
+        },
+        "regCompPolParCisV2KeyVaultKeysRotateDays": {
+            "type": "int",
+            "defaultValue": 90
+        },
+        "regCompPolParCmmcL3VmAdminsInclude": {
+            "type": "string",
+            "defaultValue": ""
+        },
+        "regCompPolParCmmcL3VmAdminsExclude": {
+            "type": "string",
+            "defaultValue": ""
+        },
+        "regCompPolParHitrustHipaaApplicationName": {
+            "type": "string",
+            "defaultValue": ""
+        },
+        "regCompPolParHitrustHipaaStoragePrefix": {
+            "type": "string",
+            "defaultValue": ""
+        },
+        "regCompPolParHitrustHipaaResGroupPrefix": {
+            "type": "string",
+            "defaultValue": ""
+        },
+        "regCompPolParHitrustHipaaCertificateThumb": {
+            "type": "string",
+            "defaultValue": ""
+        },
+        "regCompPolParIrs1075Sep2016VmAdminsExclude": {
+            "type": "string",
+            "defaultValue": ""
+        },
+        "regCompPolParIrs1075Sep2016VmAdminsInclude": {
+            "type": "string",
+            "defaultValue": ""
+        },
+        "regCompPolParNZIsmRestrictedVmAdminsInclude": {
+            "type": "string",
+            "defaultValue": ""
+        },
+        "regCompPolParNZIsmRestrictedVmAdminsExclude": {
+            "type": "string",
+            "defaultValue": ""
+        },
+        "regCompPolParNistSp800171R2VmAdminsExclude": {
+            "type": "string",
+            "defaultValue": ""
+        },
+        "regCompPolParNistSp800171R2VmAdminsInclude": {
+            "type": "string",
+            "defaultValue": ""
+        },
+        "regCompPolParSoc2Type2AllowedRegistries": {
+            "type": "string",
+            "defaultValue": "^[^\\/]+\\.azurecr\\.io\\/.+$"
+        },
+        "regCompPolParSoc2Type2MaxCpuUnits": {
+            "type": "string",
+            "defaultValue": "200m"
+        },
+        "regCompPolParSoc2Type2MaxMemoryBytes": {
+            "type": "string",
+            "defaultValue": "1Gi"
         }
     },
     "variables": {
@@ -869,7 +992,7 @@
                 "input": "[items(variables('mgmtGroupsLite'))[copyIndex('mgmtGroupsESLiteArray')].value]"
             }
         ],
-        
+
         // Declaring scopes that will be used for optional deployments, such as platform components (monitoring, networking, identity), policy assignments, subscription placement etc.
         "scopes": {
             "eslzRootManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').eslzRoot)]",
@@ -910,6 +1033,7 @@
             "logAnalyticsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json')]",
             "monitoringSolutions": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/logAnalyticsSolutions.json')]",
             "asbPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json')]",
+            "regulatoryComplianceInitaitves": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-RegulatoryCompliancePolicyAssignment.json')]",
             "resourceDiagnosticsInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json')]",
             "activityDiagnosticsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json')]",
             "mdfcConfigPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-MDFCConfigPolicyAssignment.json')]",
@@ -991,6 +1115,7 @@
             "monitorServiceHealthDeploymentName": "[take(concat('alz-SvcHealthMonitor', variables('deploymentSuffix')), 64)]",
             "monitoringSolutionsDeploymentName": "[take(concat('alz-Solutions', variables('deploymentSuffix')), 64)]",
             "asbPolicyDeploymentName": "[take(concat('alz-ASB', variables('deploymentSuffix')), 64)]",
+            "regulatoryComplianceInitativesToAssignDeploymentName": "[take(concat('alz-RegComp-', deployment().location, '-', uniqueString(parameters('currentDateTimeUtcNow')), '-'), 64)]",
             "resourceDiagnosticsPolicyDeploymentName": "[take(concat('alz-ResourceDiagnostics', variables('deploymentSuffix')), 64)]",
             "activityDiagnosticsPolicyDeploymentName": "[take(concat('alz-ActivityDiagnostics', variables('deploymentSuffix')), 64)]",
             "ascPolicyDeploymentName": "[take(concat('alz-ASC', variables('deploymentSuffix')), 64)]",
@@ -1920,6 +2045,150 @@
                 "parameters": {}
             }
         },
+        {
+            // Assigning Regulatory Compliance polices to desired management groups if condition is true
+            "condition": "[not(empty(parameters('regulatoryComplianceInitativesToAssign')))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-10-01",
+            "name": "[take(concat(variables('deploymentNames').regulatoryComplianceInitativesToAssignDeploymentName, if(contains(parameters('regulatoryComplianceInitativesToAssign')[copyIndex()].mg, '-'), split(parameters('regulatoryComplianceInitativesToAssign')[copyIndex()].mg, '-')[1], parameters('regulatoryComplianceInitativesToAssign')[copyIndex()].mg), '-', uniqueString(parameters('regulatoryComplianceInitativesToAssign')[copyIndex()].mg, parameters('regulatoryComplianceInitativesToAssign')[copyIndex()].policy.id)), 64)]",
+            "scope": "[concat('Microsoft.Management/managementGroups/', replace(parameters('regulatoryComplianceInitativesToAssign')[copyIndex()].mg, 'contoso', parameters('enterpriseScaleCompanyPrefix')))]",
+            "location": "[deployment().location]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vwanConnectivityHubDeploymentName)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').nvaConnectivityHubDeploymentName)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosLzPolicyDeploymentName)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vwanConnectivityHubLiteDeploymentName)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]",
+                "corpConnectedMoveLzs"
+            ],
+            "copy": {
+                "name": "regCompAssignments",
+                "count": "[length(parameters('regulatoryComplianceInitativesToAssign'))]"
+            },
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "contentVersion": "1.0.0.0",
+                    "uri": "[variables('deploymentUris').regulatoryComplianceInitaitves]"
+                },
+                "parameters": {
+                    "topLevelManagementGroupPrefix": {
+                        "value": "[parameters('enterpriseScaleCompanyPrefix')]"
+                    },
+                    "policySetDefinitionId": {
+                        "value": "[parameters('regulatoryComplianceInitativesToAssign')[copyIndex()].policy.id]"
+                    },
+                    "policySetDefinitionDisplayName": {
+                        "value": "[parameters('regulatoryComplianceInitativesToAssign')[copyIndex()].policy.displayName]"
+                    },
+                    "policySetDefinitionDescription": {
+                        "value": "[parameters('regulatoryComplianceInitativesToAssign')[copyIndex()].policy.description]"
+                    },
+                    "policyAssignmentName": {
+                        "value": "[take(concat('Enforce-RegComp-',uniqueString(replace(parameters('regulatoryComplianceInitativesToAssign')[copyIndex()].mg, 'contoso', parameters('enterpriseScaleCompanyPrefix')), parameters('regulatoryComplianceInitativesToAssign')[copyIndex()].policy.id)), 24)]"
+                    },
+                    "logAnalyticsWorkspaceId": {
+                        "value": "[variables('platformResourceIds').logAnalyticsResourceId]"
+                    },
+                    "regCompPolParAusGovIsmRestrictedVmAdminsExclude": {
+                        "value": "[parameters('regCompPolParAusGovIsmRestrictedVmAdminsExclude')]"
+                    },
+                    "regCompPolParAusGovIsmRestrictedResourceTypes": {
+                        "value": "[parameters('regCompPolParAusGovIsmRestrictedResourceTypes')]"
+                    },
+                    "regCompPolParMPAACertificateThumb": {
+                        "value": "[parameters('regCompPolParMPAACertificateThumb')]"
+                    },
+                    "regCompPolParMPAAApplicationName": {
+                        "value": "[parameters('regCompPolParMPAAApplicationName')]"
+                    },
+                    "regCompPolParMPAAStoragePrefix": {
+                        "value": "[parameters('regCompPolParMPAAStoragePrefix')]"
+                    },
+                    "regCompPolParMPAAResGroupPrefix": {
+                        "value": "[parameters('regCompPolParMPAAResGroupPrefix')]"
+                    },
+                    "regCompPolParMPAARBatchMetricName": {
+                        "value": "[parameters('regCompPolParMPAARBatchMetricName')]"
+                    },
+                    "regCompPolParSovBaseConfRegions": {
+                        "value": "[parameters('regCompPolParSovBaseConfRegions')]"
+                    },
+                    "regCompPolParSovBaseGlobalRegions": {
+                        "value": "[parameters('regCompPolParSovBaseGlobalRegions')]"
+                    },
+                    "regCompPolParSwift2020VmAdminsInclude": {
+                        "value": "[parameters('regCompPolParSwift2020VmAdminsInclude')]"
+                    },
+                    "regCompPolParSwift2020DomainFqdn": {
+                        "value": "[parameters('regCompPolParSwift2020DomainFqdn')]"
+                    },
+                    "regCompPolParCanadaFedPbmmVmAdminsInclude": {
+                        "value": "[parameters('regCompPolParCanadaFedPbmmVmAdminsInclude')]"
+                    },
+                    "regCompPolParCanadaFedPbmmVmAdminsExclude": {
+                        "value": "[parameters('regCompPolParCanadaFedPbmmVmAdminsExclude')]"
+                    },
+                    "regCompPolParCisV2KeyVaultKeysRotateDays": {
+                        "value": "[parameters('regCompPolParCisV2KeyVaultKeysRotateDays')]"
+                    },
+                    "regCompPolParCmmcL3VmAdminsInclude": {
+                        "value": "[parameters('regCompPolParCmmcL3VmAdminsInclude')]"
+                    },
+                    "regCompPolParCmmcL3VmAdminsExclude": {
+                        "value": "[parameters('regCompPolParCmmcL3VmAdminsExclude')]"
+                    },
+                    "regCompPolParHitrustHipaaApplicationName": {
+                        "value": "[parameters('regCompPolParHitrustHipaaApplicationName')]"
+                    },
+                    "regCompPolParHitrustHipaaStoragePrefix": {
+                        "value": "[parameters('regCompPolParHitrustHipaaStoragePrefix')]"
+                    },
+                    "regCompPolParHitrustHipaaResGroupPrefix": {
+                        "value": "[parameters('regCompPolParHitrustHipaaResGroupPrefix')]"
+                    },
+                    "regCompPolParHitrustHipaaCertificateThumb": {
+                        "value": "[parameters('regCompPolParHitrustHipaaCertificateThumb')]"
+                    },
+                    "regCompPolParIrs1075Sep2016VmAdminsExclude": {
+                        "value": "[parameters('regCompPolParIrs1075Sep2016VmAdminsExclude')]"
+                    },
+                    "regCompPolParIrs1075Sep2016VmAdminsInclude": {
+                        "value": "[parameters('regCompPolParIrs1075Sep2016VmAdminsInclude')]"
+                    },
+                    "regCompPolParNZIsmRestrictedVmAdminsInclude": {
+                        "value": "[parameters('regCompPolParNZIsmRestrictedVmAdminsInclude')]"
+                    },
+                    "regCompPolParNZIsmRestrictedVmAdminsExclude": {
+                        "value": "[parameters('regCompPolParNZIsmRestrictedVmAdminsExclude')]"
+                    },
+                    "regCompPolParNistSp800171R2VmAdminsExclude": {
+                        "value": "[parameters('regCompPolParNistSp800171R2VmAdminsExclude')]"
+                    },
+                    "regCompPolParNistSp800171R2VmAdminsInclude": {
+                        "value": "[parameters('regCompPolParNistSp800171R2VmAdminsInclude')]"
+                    },
+                    "regCompPolParSoc2Type2AllowedRegistries": {
+                        "value": "[parameters('regCompPolParSoc2Type2AllowedRegistries')]"
+                    },
+                    "regCompPolParSoc2Type2MaxCpuUnits": {
+                        "value": "[parameters('regCompPolParSoc2Type2MaxCpuUnits')]"
+                    },
+                    "regCompPolParSoc2Type2MaxMemoryBytes": {
+                        "value": "[parameters('regCompPolParSoc2Type2MaxMemoryBytes')]"
+                    }
+                }
+            }
+        },
         {
             // Assigning Azure Monitor Resource Diagnostics policy to intermediate root management group if condition is true
             "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'))]",
@@ -2025,7 +2294,7 @@
                     }
                 }
             }
-        }, 
+        },
         {
             // Assigning Audit resource location matches resource group location policy to intermediate root management group
             "condition": "[or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId'))))]",
@@ -2049,7 +2318,7 @@
                     }
                 }
             }
-        },        
+        },
         {
             // Assigning Azure Security Center configuration policy initiative to intermediate root management group if condition is true
             "condition": "[and(or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId')))), equals(parameters('enableAsc'), 'Yes'), equals(environment().resourceManager, 'https://management.azure.com/'))]",