Ab37721 KV Update Effect Names and Initial updates to support policy versioning

docs/wiki/Whats-new.md

@@ -51,6 +51,8 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
 ### 🔃 Policy Refresh Q2 FY25
 
 - Fixed a Portal Accelerator bug that results in failed deployment when choosing not to deploy policies to the Identity management group.
+- Updated the display name of the many `Effect` parameters to clearly identify the policy it applies to in the initiative [Enforce recommended guardrails for Azure Key Vault](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-KeyVault.html).
+- Updated the policy and policySet definition API version `2023-04-01` to supporting policy versioning. In this repo, this is used in the master policies.json and initiatives.json files, that are built from individual policy and initiative files in the src folder.
 
 ### 🔃 Policy Refresh Q1 FY25
 

eslzArm/managementGroupTemplates/policyDefinitions/policies.json

@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "13634999173647754981"
+      "version": "0.30.23.60470",
+      "templateHash": "5958455570293715110"
     }
   },
   "parameters": {
@@ -458,7 +458,7 @@
         "count": "[length(variables('policyDefinitions'))]"
       },
       "type": "Microsoft.Authorization/policyDefinitions",
-      "apiVersion": "2020-09-01",
+      "apiVersion": "2023-04-01",
       "name": "[variables('policyDefinitions')[copyIndex()].name]",
       "properties": {
         "description": "[variables('policyDefinitions')[copyIndex()].properties.description]",

src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.json

@@ -8,7 +8,7 @@
         "displayName": "Enforce recommended guardrails for Azure Key Vault",
         "description": "Enforce recommended guardrails for Azure Key Vault.",
         "metadata": {
-            "version": "2.1.0",
+            "version": "2.2.0",
             "category": "Key Vault",
             "source": "https://github.com/Azure/Enterprise-Scale/",
             "alzCloudEnvironments": [
@@ -21,7 +21,7 @@
             "effectKvSoftDelete": {
                 "type": "String",
                 "metadata": {
-                    "displayName": "Effect",
+                    "displayName": "Effect - KV Soft Delete",
                     "description": "Enable or disable the execution of the policy"
                 },
                 "allowedValues": [
@@ -34,7 +34,7 @@
             "effectKvPurgeProtection": {
                 "type": "String",
                 "metadata": {
-                    "displayName": "Effect",
+                    "displayName": "Effect - KV Purge Protection",
                     "description": "Enable or disable the execution of the policy"
                 },
                 "allowedValues": [
@@ -47,7 +47,7 @@
             "effectKvSecretsExpire": {
                 "type": "String",
                 "metadata": {
-                    "displayName": "Effect",
+                    "displayName": "Effect - KV Secrets Expiry",
                     "description": "Enable or disable the execution of the policy"
                 },
                 "allowedValues": [
@@ -60,7 +60,7 @@
             "effectKvKeysExpire": {
                 "type": "String",
                 "metadata": {
-                    "displayName": "Effect",
+                    "displayName": "Effect - KV Keys Expiry",
                     "description": "Enable or disable the execution of the policy"
                 },
                 "allowedValues": [
@@ -73,7 +73,7 @@
             "effectKvFirewallEnabled": {
                 "type": "String",
                 "metadata": {
-                    "displayName": "Effect",
+                    "displayName": "Effect - KV Firewall Enabled",
                     "description": "Enable or disable the execution of the policy"
                 },
                 "allowedValues": [
@@ -86,7 +86,7 @@
             "effectKvCertLifetime": {
                 "type": "String",
                 "metadata": {
-                    "displayName": "Effect",
+                    "displayName": "Effect - KV Certificate Lifetime",
                     "description": "Enable or disable the execution of the policy"
                 },
                 "allowedValues": [
@@ -118,7 +118,7 @@
             "effectKvKeysLifetime": {
                 "type": "String",
                 "metadata": {
-                    "displayName": "Effect",
+                    "displayName": "Effect - KV Keys Lifetime",
                     "description": "Enable or disable the execution of the policy"
                 },
                 "allowedValues": [
@@ -139,7 +139,7 @@
             "effectKvSecretsLifetime": {
                 "type": "String",
                 "metadata": {
-                    "displayName": "Effect",
+                    "displayName": "Effect - KV Secrets Lifetime",
                     "description": "Enable or disable the execution of the policy"
                 },
                 "allowedValues": [
@@ -451,6 +451,7 @@
             {
                 "policyDefinitionReferenceId": "KvSoftDelete",
                 "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d",
+                "definitionVersion": "3.*.*",
                 "parameters": {
                     "effect": {
                         "value": "[[parameters('effectKvSoftDelete')]"
@@ -461,6 +462,7 @@
             {
                 "policyDefinitionReferenceId": "KvPurgeProtection",
                 "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53",
+                "definitionVersion": "2.*.*",
                 "parameters": {
                     "effect": {
                         "value": "[[parameters('effectKvPurgeProtection')]"
@@ -471,6 +473,7 @@
             {
                 "policyDefinitionReferenceId": "KvSecretsExpire",
                 "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37",
+                "definitionVersion": "1.*.*",
                 "parameters": {
                     "effect": {
                         "value": "[[parameters('effectKvSecretsExpire')]"
@@ -481,6 +484,7 @@
             {
                 "policyDefinitionReferenceId": "KvKeysExpire",
                 "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0",
+                "definitionVersion": "1.*.*",
                 "parameters": {
                     "effect": {
                         "value": "[[parameters('effectKvKeysExpire')]"
@@ -491,6 +495,7 @@
             {
                 "policyDefinitionReferenceId": "KvFirewallEnabled",
                 "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490",
+                "definitionVersion": "3.*.*",
                 "parameters": {
                     "effect": {
                         "value": "[[parameters('effectKvFirewallEnabled')]"
@@ -501,6 +506,7 @@
             {
                 "policyDefinitionReferenceId": "KvCertLifetime",
                 "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417",
+                "definitionVersion": "2.*.*",
                 "parameters": {
                     "effect": {
                         "value": "[[parameters('effectKvCertLifetime')]"
@@ -517,6 +523,7 @@
             {
                 "policyDefinitionReferenceId": "KvKeysLifetime",
                 "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146",
+                "definitionVersion": "1.*.*",
                 "parameters": {
                     "effect": {
                         "value": "[[parameters('effectKvKeysLifetime')]"
@@ -530,6 +537,7 @@
             {
                 "policyDefinitionReferenceId": "KvSecretsLifetime",
                 "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a",
+                "definitionVersion": "1.*.*",
                 "parameters": {
                     "effect": {
                         "value": "[[parameters('effectKvSecretsLifetime')]"
@@ -543,6 +551,7 @@
             {
                 "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0",
                 "policyDefinitionReferenceId": "Deny-KV-RSA-Keys-without-MinCertSize",
+                "definitionVersion": "2.*.*",
                 "groupNames": [],
                 "parameters": {
                     "effect": {
@@ -556,6 +565,7 @@
             {
                 "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57",
                 "policyDefinitionReferenceId": "Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize",
+                "definitionVersion": "1.*.*-preview",
                 "groupNames": [],
                 "parameters": {
                     "effect": {
@@ -569,6 +579,7 @@
             {
                 "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9",
                 "policyDefinitionReferenceId": "Deny-KV-RSA-Keys-without-MinKeySize",
+                "definitionVersion": "1.*.*",
                 "groupNames": [],
                 "parameters": {
                     "effect": {
@@ -582,6 +593,7 @@
             {
                 "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5",
                 "policyDefinitionReferenceId": "Deny-KV-without-ArmRbac",
+                "definitionVersion": "1.*.*",
                 "groupNames": [],
                 "parameters": {
                     "effect": {
@@ -592,6 +604,7 @@
             {
                 "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383",
                 "policyDefinitionReferenceId": "Deny-KV-Hms-PurgeProtection",
+                "definitionVersion": "1.*.*",
                 "groupNames": [],
                 "parameters": {
                     "effect": {
@@ -602,6 +615,7 @@
             {
                 "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560",
                 "policyDefinitionReferenceId": "Deny-KV-Cert-Period",
+                "definitionVersion": "2.*.*",
                 "groupNames": [],
                 "parameters": {
                     "effect": {
@@ -615,6 +629,7 @@
             {
                 "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5",
                 "policyDefinitionReferenceId": "Deny-KV-Hms-Key-Expire",
+                "definitionVersion": "1.*.*-preview",
                 "groupNames": [],
                 "parameters": {
                     "effect": {
@@ -625,6 +640,7 @@
             {
                 "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9",
                 "policyDefinitionReferenceId": "Deny-KV-Keys-Expire",
+                "definitionVersion": "1.*.*",
                 "groupNames": [],
                 "parameters": {
                     "effect": {
@@ -638,6 +654,7 @@
             {
                 "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f",
                 "policyDefinitionReferenceId": "Deny-KV-Secrets-ValidityDays",
+                "definitionVersion": "1.*.*",
                 "groupNames": [],
                 "parameters": {
                     "effect": {
@@ -651,6 +668,7 @@
             {
                 "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f",
                 "policyDefinitionReferenceId": "Deny-KV-Key-Types",
+                "definitionVersion": "2.*.*",
                 "groupNames": [],
                 "parameters": {
                     "effect": {
@@ -661,6 +679,7 @@
             {
                 "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf",
                 "policyDefinitionReferenceId": "Deny-KV-Elliptic-Curve",
+                "definitionVersion": "2.*.*",
                 "groupNames": [],
                 "parameters": {
                     "effect": {
@@ -671,6 +690,7 @@
             {
                 "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb",
                 "policyDefinitionReferenceId": "Deny-KV-Cryptographic-Type",
+                "definitionVersion": "1.*.*",
                 "groupNames": [],
                 "parameters": {
                     "effect": {
@@ -681,6 +701,7 @@
             {
                 "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9",
                 "policyDefinitionReferenceId": "Deny-KV-Key-Active",
+                "definitionVersion": "1.*.*",
                 "groupNames": [],
                 "parameters": {
                     "effect": {
@@ -694,6 +715,7 @@
             {
                 "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255",
                 "policyDefinitionReferenceId": "Deny-KV-Curve-Names",
+                "definitionVersion": "1.*.*",
                 "groupNames": [],
                 "parameters": {
                     "effect": {
@@ -704,6 +726,7 @@
             {
                 "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe",
                 "policyDefinitionReferenceId": "Deny-KV-Secret-ActiveDays",
+                "definitionVersion": "1.*.*",
                 "groupNames": [],
                 "parameters": {
                     "effect": {
@@ -717,6 +740,7 @@
             {
                 "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3",
                 "policyDefinitionReferenceId": "Deny-Kv-Secret-Content-Type",
+                "definitionVersion": "1.*.*",
                 "groupNames": [],
                 "parameters": {
                     "effect": {
@@ -727,6 +751,7 @@
             {
                 "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341",
                 "policyDefinitionReferenceId": "Deny-Kv-Non-Integrated-Ca",
+                "definitionVersion": "2.*.*",
                 "groupNames": [],
                 "parameters": {
                     "effect": {
@@ -740,6 +765,7 @@
             {
                 "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82",
                 "policyDefinitionReferenceId": "Deny-Kv-Integrated-Ca",
+                "definitionVersion": "2.*.*",
                 "groupNames": [],
                 "parameters": {
                     "effect": {
@@ -753,6 +779,7 @@
             {
                 "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653",
                 "policyDefinitionReferenceId": "Deny-Kv-Hsm-MinimumDays-Before-Expiration",
+                "definitionVersion": "1.*.*-preview",
                 "groupNames": [],
                 "parameters": {
                     "effect": {
@@ -766,6 +793,7 @@
             {
                 "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e",
                 "policyDefinitionReferenceId": "Deny-Kv-Hsm-Curve-Names",
+                "definitionVersion": "1.*.*-preview",
                 "groupNames": [],
                 "parameters": {
                     "effect": {
@@ -779,6 +807,7 @@
             {
                 "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427",
                 "policyDefinitionReferenceId": "Deny-Kv-Cert-Expiration-Within-Specific-Number-Days",
+                "definitionVersion": "2.*.*",
                 "groupNames": [],
                 "parameters": {
                     "effect": {

src/templates/initiatives.bicep

@@ -124,7 +124,7 @@ var policySetDefinitions = concat(policySetDefinitionsByCloudType.All, policySet
 
 // Create the Policy Definitions as needed for the target cloud environment
 // Depends on Policy Definitons to ensure they exist before creating dependent Policy Set Definitions (Initiatives)
-resource PolicySetDefinitions 'Microsoft.Authorization/policySetDefinitions@2020-09-01' = [for policy in policySetDefinitions: {
+resource PolicySetDefinitions 'Microsoft.Authorization/policySetDefinitions@2023-04-01' = [for policy in policySetDefinitions: {
   // dependsOn: [
   //   PolicyDefinitions
   // ]

src/templates/policies.bicep

@@ -248,7 +248,7 @@ var policyDefinitionsByCloudType = {
 var policyDefinitions = concat(policyDefinitionsByCloudType.All, policyDefinitionsByCloudType[cloudEnv])
 
 // Create the Policy Definitions as needed for the target cloud environment
-resource PolicyDefinitions 'Microsoft.Authorization/policyDefinitions@2020-09-01' = [for policy in policyDefinitions: {
+resource PolicyDefinitions 'Microsoft.Authorization/policyDefinitions@2023-04-01' = [for policy in policyDefinitions: {
   name: policy.name
   properties: {
     description: policy.properties.description