From d094fbe133582a50e180d29ac8245e7058ad2b0e Mon Sep 17 00:00:00 2001 From: Anthony Watherston Date: Mon, 4 Nov 2024 19:35:05 +1100 Subject: [PATCH 01/18] Minor grammar fix (#1798) Co-authored-by: Anthony Watherston Co-authored-by: Sacha Narinx --- .../policyAssignments/AUDIT-TrustedLaunchPolicyAssignment.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-TrustedLaunchPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-TrustedLaunchPolicyAssignment.json index 82338d02da..84865cd0de 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-TrustedLaunchPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-TrustedLaunchPolicyAssignment.json @@ -39,7 +39,7 @@ "displayName": "Audit virtual machines for Trusted Launch support" }, "nonComplianceMessage": { - "message": "Trust Launch {enforcementMode} be used on supported virtual machines for enhanced security.", + "message": "Trusted Launch {enforcementMode} be used on supported virtual machines for enhanced security.", "Default": "must", "DoNotEnforce": "should" } From b6069b251527fd0694be23cd59ee81af599e54bb Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 4 Nov 2024 16:36:48 +0400 Subject: [PATCH 02/18] Ab36748 Identity Policy / Subscription Bug Fix (#1823) --- docs/wiki/Whats-new.md | 4 ++++ eslzArm/eslz-portal.json | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index 9779d7408e..cb4886a81b 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -48,6 +48,10 @@ This article will be updated as and when changes are made to the above and anyth Here's what's changed in Enterprise Scale/Azure Landing Zones: +### 🔃 Policy Refresh Q2 FY25 + +- Fixed a Portal Accelerator bug that results in failed deployment when choosing not to deploy policies to the Identity management group. + ### 🔃 Policy Refresh Q1 FY25 - Updated ALZ custom policies enforcing minimum TLS versions to properly evaluate the minimum TLS version, ensuring services configured to deploy TLS 1.3 will successfully evaluate. diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index 8bb1dee1bc..bea14013c3 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -4321,7 +4321,7 @@ } } ], - "visible": "[and(equals(steps('identity').esIdentity,'Yes'), not(equals(steps('core').platformSubscription, 'Single')))]" + "visible": "[not(equals(steps('core').platformSubscription, 'Single'))]" }, { "name": "identitypolicies", From b99d4c9c655e0a3a821b8667b7b3d969b6b1aeac Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 4 Nov 2024 17:57:12 +0400 Subject: [PATCH 03/18] Ab37721 KV Update Effect Names and Initial updates to support policy versioning (#1824) --- docs/wiki/Whats-new.md | 2 + .../policyDefinitions/initiatives.json | 8 ++-- .../policyDefinitions/policies.json | 6 +-- .../Enforce-Guardrails-KeyVault.json | 47 +++++++++++++++---- src/templates/initiatives.bicep | 2 +- src/templates/policies.bicep | 2 +- 6 files changed, 49 insertions(+), 18 deletions(-) diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index cb4886a81b..b8f9babe72 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -51,6 +51,8 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: ### 🔃 Policy Refresh Q2 FY25 - Fixed a Portal Accelerator bug that results in failed deployment when choosing not to deploy policies to the Identity management group. +- Updated the display name of the many `Effect` parameters to clearly identify the policy it applies to in the initiative [Enforce recommended guardrails for Azure Key Vault](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-KeyVault.html). +- Updated the policy and policySet definition API version `2023-04-01` to supporting policy versioning. In this repo, this is used in the master policies.json and initiatives.json files, that are built from individual policy and initiative files in the src folder. ### 🔃 Policy Refresh Q1 FY25 diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json index 03d103f341..d89a0d99c4 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "392506153917126079" + "version": "0.30.23.60470", + "templateHash": "5086942299464024025" } }, "parameters": { @@ -78,7 +78,7 @@ ], "$fxv#0": "{\n \"name\": \"Audit-UnusedResourcesCostOptimization\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Unused resources driving cost should be avoided\",\n \"description\": \"Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Cost Optimization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectDisks\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Disks Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Compute/disks\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectPublicIpAddresses\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PublicIpAddresses Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Network/publicIpAddresses\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectServerFarms\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"ServerFarms Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Web/serverfarms\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AuditDisksUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDisks')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditPublicIpAddressesUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectPublicIpAddresses')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditServerFarmsUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectServerFarms')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditAzureHybridBenefitUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Audit\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#1": "{\n \"name\": \"Audit-TrustedLaunch\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Audit virtual machines for Trusted Launch support\",\n \"description\": \"Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Trusted Launch\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AuditDisksOsTrustedLaunch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b03bb370-5249-4ea4-9fce-2552e87e45fa\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditTrustedLaunchEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95b54ad-0614-4633-ab29-104b01235cbf\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#10": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.1.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultManagedHsmCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57\",\n \"policyDefinitionReferenceId\": \"Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#10": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.2.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Soft Delete\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Purge Protection\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Secrets Expiry\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Keys Expiry\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Firewall Enabled\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Certificate Lifetime\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Keys Lifetime\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Secrets Lifetime\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultManagedHsmCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"definitionVersion\": \"3.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"definitionVersion\": \"3.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57\",\n \"policyDefinitionReferenceId\": \"Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#11": "{\n \"name\": \"Enforce-Guardrails-APIM\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for API Management\",\n \"description\": \"This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"API Management\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"apiSubscriptionScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"minimumApiVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSkuVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"apimApiBackendCertValidation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDirectApiEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimCallApiAuthn\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimEncryptedProtocols\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimVnetUsage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSecrets\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Kv\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSecrets')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimVnetUsage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS\",\n \"policyDefinitionReferenceId\": \"Deny-APIM-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Protocols\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimEncryptedProtocols')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Authn\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimCallApiAuthn')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Direct-Endpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDirectApiEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Cert-Validation\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimApiBackendCertValidation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2\",\n \"policyDefinitionReferenceId\": \"Dine-Apim-Public-NetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Sku-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSkuVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('minimumApiVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1\",\n \"policyDefinitionReferenceId\": \"Deny-Api-subscription-scope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apiSubscriptionScope')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#12": "{\n \"name\": \"Enforce-Guardrails-AppServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for App Service\",\n \"description\": \"This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"functionAppDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceSkuPl\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuthFtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceScmAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsVnetRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceEnvLatestVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceByoc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Byoc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceByoc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Latest-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceEnvLatestVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Vnet-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsVnetRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222\",\n \"policyDefinitionReferenceId\": \"Deny-AppServiceApps-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb\",\n \"policyDefinitionReferenceId\": \"DINE-FuncApp-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-ScmAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceScmAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-FtpAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuthFtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-SkuPl\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceSkuPl')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Apps-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-App-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#13": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"autoHotPatch\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc\",\n \"policyDefinitionReferenceId\": \"Deny-Windows-Vm-HotPatch\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('autoHotPatch')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", @@ -224,7 +224,7 @@ "count": "[length(variables('policySetDefinitions'))]" }, "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2020-09-01", + "apiVersion": "2023-04-01", "name": "[variables('policySetDefinitions')[copyIndex()].name]", "properties": { "description": "[variables('policySetDefinitions')[copyIndex()].properties.description]", diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json index 0fa47d8e2d..30f9b5fd9a 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "13634999173647754981" + "version": "0.30.23.60470", + "templateHash": "5958455570293715110" } }, "parameters": { @@ -458,7 +458,7 @@ "count": "[length(variables('policyDefinitions'))]" }, "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2020-09-01", + "apiVersion": "2023-04-01", "name": "[variables('policyDefinitions')[copyIndex()].name]", "properties": { "description": "[variables('policyDefinitions')[copyIndex()].properties.description]", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.json index 04f79c6d6c..8b68f17728 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Azure Key Vault", "description": "Enforce recommended guardrails for Azure Key Vault.", "metadata": { - "version": "2.1.0", + "version": "2.2.0", "category": "Key Vault", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -21,7 +21,7 @@ "effectKvSoftDelete": { "type": "String", "metadata": { - "displayName": "Effect", + "displayName": "Effect - KV Soft Delete", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ @@ -34,7 +34,7 @@ "effectKvPurgeProtection": { "type": "String", "metadata": { - "displayName": "Effect", + "displayName": "Effect - KV Purge Protection", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ @@ -47,7 +47,7 @@ "effectKvSecretsExpire": { "type": "String", "metadata": { - "displayName": "Effect", + "displayName": "Effect - KV Secrets Expiry", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ @@ -60,7 +60,7 @@ "effectKvKeysExpire": { "type": "String", "metadata": { - "displayName": "Effect", + "displayName": "Effect - KV Keys Expiry", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ @@ -73,7 +73,7 @@ "effectKvFirewallEnabled": { "type": "String", "metadata": { - "displayName": "Effect", + "displayName": "Effect - KV Firewall Enabled", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ @@ -86,7 +86,7 @@ "effectKvCertLifetime": { "type": "String", "metadata": { - "displayName": "Effect", + "displayName": "Effect - KV Certificate Lifetime", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ @@ -118,7 +118,7 @@ "effectKvKeysLifetime": { "type": "String", "metadata": { - "displayName": "Effect", + "displayName": "Effect - KV Keys Lifetime", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ @@ -139,7 +139,7 @@ "effectKvSecretsLifetime": { "type": "String", "metadata": { - "displayName": "Effect", + "displayName": "Effect - KV Secrets Lifetime", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ @@ -451,6 +451,7 @@ { "policyDefinitionReferenceId": "KvSoftDelete", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d", + "definitionVersion": "3.*.*", "parameters": { "effect": { "value": "[[parameters('effectKvSoftDelete')]" @@ -461,6 +462,7 @@ { "policyDefinitionReferenceId": "KvPurgeProtection", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53", + "definitionVersion": "2.*.*", "parameters": { "effect": { "value": "[[parameters('effectKvPurgeProtection')]" @@ -471,6 +473,7 @@ { "policyDefinitionReferenceId": "KvSecretsExpire", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('effectKvSecretsExpire')]" @@ -481,6 +484,7 @@ { "policyDefinitionReferenceId": "KvKeysExpire", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('effectKvKeysExpire')]" @@ -491,6 +495,7 @@ { "policyDefinitionReferenceId": "KvFirewallEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490", + "definitionVersion": "3.*.*", "parameters": { "effect": { "value": "[[parameters('effectKvFirewallEnabled')]" @@ -501,6 +506,7 @@ { "policyDefinitionReferenceId": "KvCertLifetime", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417", + "definitionVersion": "2.*.*", "parameters": { "effect": { "value": "[[parameters('effectKvCertLifetime')]" @@ -517,6 +523,7 @@ { "policyDefinitionReferenceId": "KvKeysLifetime", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('effectKvKeysLifetime')]" @@ -530,6 +537,7 @@ { "policyDefinitionReferenceId": "KvSecretsLifetime", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('effectKvSecretsLifetime')]" @@ -543,6 +551,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0", "policyDefinitionReferenceId": "Deny-KV-RSA-Keys-without-MinCertSize", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -556,6 +565,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57", "policyDefinitionReferenceId": "Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize", + "definitionVersion": "1.*.*-preview", "groupNames": [], "parameters": { "effect": { @@ -569,6 +579,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9", "policyDefinitionReferenceId": "Deny-KV-RSA-Keys-without-MinKeySize", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -582,6 +593,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5", "policyDefinitionReferenceId": "Deny-KV-without-ArmRbac", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -592,6 +604,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383", "policyDefinitionReferenceId": "Deny-KV-Hms-PurgeProtection", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -602,6 +615,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560", "policyDefinitionReferenceId": "Deny-KV-Cert-Period", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -615,6 +629,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5", "policyDefinitionReferenceId": "Deny-KV-Hms-Key-Expire", + "definitionVersion": "1.*.*-preview", "groupNames": [], "parameters": { "effect": { @@ -625,6 +640,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9", "policyDefinitionReferenceId": "Deny-KV-Keys-Expire", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -638,6 +654,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f", "policyDefinitionReferenceId": "Deny-KV-Secrets-ValidityDays", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -651,6 +668,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f", "policyDefinitionReferenceId": "Deny-KV-Key-Types", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -661,6 +679,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf", "policyDefinitionReferenceId": "Deny-KV-Elliptic-Curve", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -671,6 +690,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb", "policyDefinitionReferenceId": "Deny-KV-Cryptographic-Type", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -681,6 +701,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9", "policyDefinitionReferenceId": "Deny-KV-Key-Active", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -694,6 +715,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255", "policyDefinitionReferenceId": "Deny-KV-Curve-Names", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -704,6 +726,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe", "policyDefinitionReferenceId": "Deny-KV-Secret-ActiveDays", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -717,6 +740,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3", "policyDefinitionReferenceId": "Deny-Kv-Secret-Content-Type", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -727,6 +751,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341", "policyDefinitionReferenceId": "Deny-Kv-Non-Integrated-Ca", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -740,6 +765,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82", "policyDefinitionReferenceId": "Deny-Kv-Integrated-Ca", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -753,6 +779,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653", "policyDefinitionReferenceId": "Deny-Kv-Hsm-MinimumDays-Before-Expiration", + "definitionVersion": "1.*.*-preview", "groupNames": [], "parameters": { "effect": { @@ -766,6 +793,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e", "policyDefinitionReferenceId": "Deny-Kv-Hsm-Curve-Names", + "definitionVersion": "1.*.*-preview", "groupNames": [], "parameters": { "effect": { @@ -779,6 +807,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427", "policyDefinitionReferenceId": "Deny-Kv-Cert-Expiration-Within-Specific-Number-Days", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/templates/initiatives.bicep b/src/templates/initiatives.bicep index 6edc2fd391..c4a12a8d79 100644 --- a/src/templates/initiatives.bicep +++ b/src/templates/initiatives.bicep @@ -124,7 +124,7 @@ var policySetDefinitions = concat(policySetDefinitionsByCloudType.All, policySet // Create the Policy Definitions as needed for the target cloud environment // Depends on Policy Definitons to ensure they exist before creating dependent Policy Set Definitions (Initiatives) -resource PolicySetDefinitions 'Microsoft.Authorization/policySetDefinitions@2020-09-01' = [for policy in policySetDefinitions: { +resource PolicySetDefinitions 'Microsoft.Authorization/policySetDefinitions@2023-04-01' = [for policy in policySetDefinitions: { // dependsOn: [ // PolicyDefinitions // ] diff --git a/src/templates/policies.bicep b/src/templates/policies.bicep index 0ec8d09707..bf459ae8e1 100644 --- a/src/templates/policies.bicep +++ b/src/templates/policies.bicep @@ -248,7 +248,7 @@ var policyDefinitionsByCloudType = { var policyDefinitions = concat(policyDefinitionsByCloudType.All, policyDefinitionsByCloudType[cloudEnv]) // Create the Policy Definitions as needed for the target cloud environment -resource PolicyDefinitions 'Microsoft.Authorization/policyDefinitions@2020-09-01' = [for policy in policyDefinitions: { +resource PolicyDefinitions 'Microsoft.Authorization/policyDefinitions@2023-04-01' = [for policy in policyDefinitions: { name: policy.name properties: { description: policy.properties.description From b0c7f8ec7fa35ca7eb637db22941f7e6ec286eaf Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 4 Nov 2024 19:04:26 +0400 Subject: [PATCH 04/18] ALZ Policies Extra Wiki Entry (#1825) --- docs/wiki/ALZ-Policies-Extra.md | 1 + docs/wiki/Whats-new.md | 1 + 2 files changed, 2 insertions(+) diff --git a/docs/wiki/ALZ-Policies-Extra.md b/docs/wiki/ALZ-Policies-Extra.md index d9eef5174d..57e973c502 100644 --- a/docs/wiki/ALZ-Policies-Extra.md +++ b/docs/wiki/ALZ-Policies-Extra.md @@ -12,6 +12,7 @@ ALZ provides several additional policies that are not assigned by default but th |------------|-------------|-------------| | Deny-Appgw-Without-Waf | Application Gateway should be deployed with WAF enabled | Use to ensure Application Gateways are deployed with Web Application Firewall enabled | | Deny-Private-Dns-Zones | Deny the creation of private DNS | For organizations that centralize core networking functions, use this policy to prevent the creation of additional Private DNS Zones under specific scopes | +| Deny-Subnet-Without-Penp | Subnets without Private Endpoint Network Policies enabled should be denied | This policy denies the creation of a subnet without Private Endpoint Network Policies enabled. This policy is intended for 'workload' subnets, not 'central infrastructure' (aka, 'hub') subnets. | | Deny-Subnet-Without-Udr | Subnets should have a User Defined Route | Should you require all network traffic be directed to an appliance for inspection, you can use this policy to ensure UDR is associated with a subnet | | Deny-Udr-With-Specific-Nexthop | User Defined Routes with 'Next Hop Type' set to 'Internet' or 'VirtualNetworkGateway' should be denied | Refining `Deny-Subnet-Without-Udr` you can ensure non-compliant UDRs are denied (e.g., bypassing a firewall) | | Deny-Vnet-Peering | Deny vNet peering | Use to prevent vNet peering under specific scopes (e.g., Sandbox management group) | diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index b8f9babe72..911c96695a 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -53,6 +53,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: - Fixed a Portal Accelerator bug that results in failed deployment when choosing not to deploy policies to the Identity management group. - Updated the display name of the many `Effect` parameters to clearly identify the policy it applies to in the initiative [Enforce recommended guardrails for Azure Key Vault](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-KeyVault.html). - Updated the policy and policySet definition API version `2023-04-01` to supporting policy versioning. In this repo, this is used in the master policies.json and initiatives.json files, that are built from individual policy and initiative files in the src folder. +- Added description for custom ALZ policy [Deny-Subnet-Without-Penp](https://www.azadvertizer.net/azpolicyadvertizer/Deny-Subnet-Without-Penp.html) to the [ALZ Policies Extra](./ALZ-Policies-Extra) wiki page. ### 🔃 Policy Refresh Q1 FY25 From 601f53a998e1f2be38e41da942224ad3702f2930 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Tue, 5 Nov 2024 14:06:14 +0400 Subject: [PATCH 05/18] Update EncryptTransit AppServiceTLS param to include 1.3 (#1827) --- docs/wiki/Whats-new.md | 1 + .../policyDefinitions/initiatives.json | 4 ++-- .../Enforce-EncryptTransit_20240509.json | 9 +++++---- 3 files changed, 8 insertions(+), 6 deletions(-) diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index 911c96695a..177d9d058c 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -54,6 +54,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: - Updated the display name of the many `Effect` parameters to clearly identify the policy it applies to in the initiative [Enforce recommended guardrails for Azure Key Vault](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-KeyVault.html). - Updated the policy and policySet definition API version `2023-04-01` to supporting policy versioning. In this repo, this is used in the master policies.json and initiatives.json files, that are built from individual policy and initiative files in the src folder. - Added description for custom ALZ policy [Deny-Subnet-Without-Penp](https://www.azadvertizer.net/azpolicyadvertizer/Deny-Subnet-Without-Penp.html) to the [ALZ Policies Extra](./ALZ-Policies-Extra) wiki page. +- Updated initiative [Enforce-EncryptTransit_20240509](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html) `AppServiceMinTlsVersion` parameter to include TLS version 1.3 (as supported by the policy). ### 🔃 Policy Refresh Q1 FY25 diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json index d89a0d99c4..5cac7df0f3 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.30.23.60470", - "templateHash": "5086942299464024025" + "templateHash": "2616839357813689921" } }, "parameters": { @@ -121,7 +121,7 @@ "$fxv#47": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#48": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#49": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-File-Sync\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-Web\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-KeyVault\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#5": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#5": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.3\",\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageMinimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#50": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#51": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#52": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json index 1d96c3c4ba..b25cb45075 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json @@ -8,7 +8,7 @@ "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. ", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Encryption", "source": "https://github.com/Azure/Enterprise-Scale/", "replacesPolicy": "Enforce-EncryptTransit", @@ -47,9 +47,10 @@ "type": "String", "defaultValue": "1.2", "allowedValues": [ + "1.3", "1.2", - "1.0", - "1.1" + "1.1", + "1.0" ], "metadata": { "displayName": "App Service. Select version minimum TLS Web App config", @@ -356,7 +357,7 @@ "Disabled" ] }, - "StorageminimumTlsVersion": { + "StorageMinimumTlsVersion": { "type": "String", "defaultValue": "TLS1_2", "allowedValues": [ From 193fb3764bef1782e9784637d15922937a056ceb Mon Sep 17 00:00:00 2001 From: Cassie Kays <86622587+cassiekays@users.noreply.github.com> Date: Tue, 19 Nov 2024 02:01:16 -0800 Subject: [PATCH 06/18] added SQL security policy into the wiki (#1829) Co-authored-by: Sacha Narinx --- docs/wiki/ALZ-Policies-Extra.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/wiki/ALZ-Policies-Extra.md b/docs/wiki/ALZ-Policies-Extra.md index 57e973c502..f3924e945e 100644 --- a/docs/wiki/ALZ-Policies-Extra.md +++ b/docs/wiki/ALZ-Policies-Extra.md @@ -18,6 +18,7 @@ ALZ provides several additional policies that are not assigned by default but th | Deny-Vnet-Peering | Deny vNet peering | Use to prevent vNet peering under specific scopes (e.g., Sandbox management group) | | Deny-Vnet-Peering-To-Non-Approved-Vnets | Deny vNet peering to non-approved vNets | Use to control vNet peering under specific scopes, like in the Corp management group, only allow peering to the hub vNet. | | Deploy-Budget | Deploy a default budget on all subscriptions under the assigned scope | Set a default budget for a specific scope, like setting a $500 budget on all subscriptions in the Sandbox management group | +|Deploy-Sql-Security_20240529| Deploy-SQL Database built-in SQL security configuration| Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment| | Deploy-Vnet-Hubspoke | Deploy Virtual Network with peering to the hub | Automatically peer a new virtual network with the hub, for example, in the Corp management group | | Deploy-Windows-DomainJoin | Deploy Windows Domain Join Extension with Key Vault configuration | Windows Domain Join a virtual machine using domain name and password stored in Key Vault as secrets | From 2a752398455930c936ab0f90c735eaebfa07ee33 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 20 Nov 2024 12:34:47 +0400 Subject: [PATCH 07/18] Fix NVA VPN Regional (#1830) --- docs/wiki/Whats-new.md | 2 ++ .../nvahubspoke-connectivity.json | 21 +++++++++++-------- 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index d814b93c37..6344773e14 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -1,6 +1,7 @@ ## In this Section - [Updates](#updates) + - [🔃 Policy Refresh Q2 FY25](#-policy-refresh-q2-fy25) - [November 2024](#november-2024) - [🔃 Policy Refresh Q1 FY25](#-policy-refresh-q1-fy25) - [October 2024](#october-2024) @@ -61,6 +62,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: #### Tooling +- Fixed a bug in the Portal Accelerator that caused the deployment to fail when deploying a hub & spoke with NVA topology and regional VPN gateway (basic sku for Public IP not supported). - A bug was resolved in the Portal Accelerator that caused deployment validation to fail with the error message "The 'location' property must be specified for 'amba-id-amba-prod-001'". This event happened when a Log Analytics Workspace was not deployed, but Azure Monitor Baseline Alerts were enabled. This issue occurred because Azure Monitor Baseline Alerts depend on the management subscription, which is not provided if the Log Analytics Workspace is not deployed. To address this scenario, an additional section was implemented in the Baseline alerts and monitoring tab allowing the selection of a Management subscription when not deploying a Log Analytics Workspace. - Updated the ***Baseline alerts and monitoring*** integration section in the portal accelerator to deploy the latest release of AMBA (2024-11-01). To read more on the changes, see the [What's new](https://aka.ms/amba/alz/whatsnew) page in the AMBA documentation. diff --git a/eslzArm/subscriptionTemplates/nvahubspoke-connectivity.json b/eslzArm/subscriptionTemplates/nvahubspoke-connectivity.json index 631f20d388..33936e612b 100644 --- a/eslzArm/subscriptionTemplates/nvahubspoke-connectivity.json +++ b/eslzArm/subscriptionTemplates/nvahubspoke-connectivity.json @@ -132,6 +132,7 @@ "azErGwIpName": "[concat(variables('erGwName'), '-pip')]", "azVpnGwPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azVpnGwIpName'))]", "azVpnGwAAPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azVpnGwAAIpName'))]", + "azVpnPIPZones": "[split('1,2,3', ',')]", "azErGwSubnetId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualNetworks/', variables('hubname'), '/subnets/GatewaySubnet')]", "azErGwPipId": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'), '/providers/Microsoft.Network/publicIPAddresses/', variables('azErGwIpName'))]", "resourceDeploymentName": "[take(concat(deployment().name, '-hubspoke', parameters('location')), 64)]", @@ -219,33 +220,35 @@ }, { "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), not(empty(parameters('subnetMaskForGw'))))]", - "apiVersion": "2020-05-01", + "apiVersion": "2023-11-01", "type": "Microsoft.Network/publicIpAddresses", "location": "[parameters('location')]", "name": "[variables('azVpnGwIpName')]", + "zones": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), variables('azVpnPIPZones'), json('null'))]", "sku": { - "name": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), 'Standard', 'Basic')]" + "name": "Standard" }, "properties": { - "publicIPAllocationMethod": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), 'Static', 'Dynamic')]" + "publicIPAllocationMethod": "Static" } }, { "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), equals(parameters('enableVpnActiveActive'),'Yes'), not(empty(parameters('subnetMaskForGw'))))]", - "apiVersion": "2020-05-01", + "apiVersion": "2023-11-01", "type": "Microsoft.Network/publicIpAddresses", "location": "[parameters('location')]", "name": "[variables('azVpnGwAAIpName')]", + "zones": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), variables('azVpnPIPZones'), json('null'))]", "sku": { - "name": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), 'Standard', 'Basic')]" + "name": "Standard" }, "properties": { - "publicIPAllocationMethod": "[if(equals(parameters('gwRegionalOrAz'), 'Zone'), 'Static', 'Dynamic')]" + "publicIPAllocationMethod": "Static" } }, { "condition": "[and(equals(parameters('enableVpnGw'), 'Yes'), equals(parameters('enableVpnActiveActive'),'No'), not(empty(parameters('subnetMaskForGw'))))]", - "apiVersion": "2020-05-01", + "apiVersion": "2023-11-01", "name": "[variables('vpngwname')]", "type": "Microsoft.Network/virtualNetworkGateways", "location": "[parameters('location')]", @@ -365,10 +368,10 @@ "location": "[parameters('location')]", "name": "[variables('azErGwIpName')]", "sku": { - "name": "[if(equals(parameters('erRegionalOrAz'), 'Zone'), 'Standard', 'Basic')]" + "name": "Standard" }, "properties": { - "publicIPAllocationMethod": "[if(equals(parameters('erRegionalOrAz'), 'Zone'), 'Static', 'Dynamic')]" + "publicIPAllocationMethod": "Static" } }, { From 73d6e73759d36210e54ec05b79adde59314ffa15 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 29 Nov 2024 16:58:49 +0400 Subject: [PATCH 08/18] Policy: Audit for mandatory tags on resources/resource groups (#1843) --- docs/wiki/ALZ-Policies-Extra.md | 2 + docs/wiki/Whats-new.md | 1 + .../policyDefinitions/policies.json | 350 +++++++++--------- .../Audit-Tags-Mandatory-Rg.json | 91 +++++ .../Audit-Tags-Mandatory.json | 66 ++++ src/templates/policies.bicep | 2 + 6 files changed, 339 insertions(+), 173 deletions(-) create mode 100644 src/resources/Microsoft.Authorization/policyDefinitions/Audit-Tags-Mandatory-Rg.json create mode 100644 src/resources/Microsoft.Authorization/policyDefinitions/Audit-Tags-Mandatory.json diff --git a/docs/wiki/ALZ-Policies-Extra.md b/docs/wiki/ALZ-Policies-Extra.md index f3924e945e..36ee97a4ba 100644 --- a/docs/wiki/ALZ-Policies-Extra.md +++ b/docs/wiki/ALZ-Policies-Extra.md @@ -10,6 +10,8 @@ ALZ provides several additional policies that are not assigned by default but th | Policy | Description | Notes | |------------|-------------|-------------| +| Audit-Tags-Mandatory | Audit for mandatory tags on resources | Audits resources to ensure they have required tags based on tag array. Does not apply to resource groups. | +| Audit-Tags-Mandatory-RG | Audit for mandatory tags on resource groups | Audits resource groups to ensure they have required tags based on tag array. | | Deny-Appgw-Without-Waf | Application Gateway should be deployed with WAF enabled | Use to ensure Application Gateways are deployed with Web Application Firewall enabled | | Deny-Private-Dns-Zones | Deny the creation of private DNS | For organizations that centralize core networking functions, use this policy to prevent the creation of additional Private DNS Zones under specific scopes | | Deny-Subnet-Without-Penp | Subnets without Private Endpoint Network Policies enabled should be denied | This policy denies the creation of a subnet without Private Endpoint Network Policies enabled. This policy is intended for 'workload' subnets, not 'central infrastructure' (aka, 'hub') subnets. | diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index 6344773e14..9775bd9d34 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -57,6 +57,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: - Updated the policy and policySet definition API version `2023-04-01` to supporting policy versioning. In this repo, this is used in the master policies.json and initiatives.json files, that are built from individual policy and initiative files in the src folder. - Added description for custom ALZ policy [Deny-Subnet-Without-Penp](https://www.azadvertizer.net/azpolicyadvertizer/Deny-Subnet-Without-Penp.html) to the [ALZ Policies Extra](./ALZ-Policies-Extra) wiki page. - Updated initiative [Enforce-EncryptTransit_20240509](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html) `AppServiceMinTlsVersion` parameter to include TLS version 1.3 (as supported by the policy). +- Added new custom policies [Audit-Tags-Mandatory](https://www.azadvertizer.net/azpolicyadvertizer/Audit-Tags-Mandatory.html) and [Audit-Tags-Mandatory-Rg](https://www.azadvertizer.net/azpolicyadvertizer/Audit-Tags-Mandatory-Rg.html) to support auditing for the existence of mandatory tags (based on an array of tags). Not assigned by default. ### November 2024 diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json index 30f9b5fd9a..cb10857da3 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "5958455570293715110" + "version": "0.31.92.45157", + "templateHash": "15835468158012758308" } }, "parameters": { @@ -78,174 +78,176 @@ ], "$fxv#0": "{\n \"name\": \"Append-AppService-httpsonly\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"AppService append enable https only setting to enforce https setting.\",\n \"description\": \"Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"notequals\": true\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": [\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"value\": true\n }\n ]\n }\n }\n }\n}\n", "$fxv#1": "{\n \"name\": \"Append-AppService-latestTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"AppService append sites with minimum TLS version to enforce.\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.3\",\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version minimum TLS Web App config\",\n \"description\": \"Select version minimum TLS version for a Web App config to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Web/sites/config/minTlsVersion\",\n \"exists\": \"true\"\n },\n {\n \"field\": \"Microsoft.Web/sites/config/minTlsVersion\",\n \"less\": \"[[parameters('minTlsVersion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": [\n {\n \"field\": \"Microsoft.Web/sites/config/minTlsVersion\",\n \"value\": \"[[parameters('minTlsVersion')]\"\n }\n ]\n }\n }\n }\n}\n", - "$fxv#10": "{\n \"name\": \"Deny-AppServiceApiApp-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"API App should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"like\": \"*api\"\n },\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"equals\": \"false\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#100": "{\n \"name\": \"Deploy-Sql-vulnerabilityAssessments\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments_20230706.html\",\n \"metadata\": {\n \"version\": \"1.0.1-deprecated\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-Sql-vulnerabilityAssessments_20230706\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"type\": \"String\",\n \"metadata\": {\n \"description\": \"The email address to send alerts. For multiple emails, format in the following 'email1@contoso.com;email2@contoso.com'\",\n \"displayName\": \"The email address to send alerts. For multiple emails, format in the following 'email1@contoso.com;email2@contoso.com'\"\n }\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"type\": \"String\",\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers/databases\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails\",\n \"equals\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n {\n \"field\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.isEnabled\",\n \"equals\": true\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"String\"\n },\n \"sqlServerName\": {\n \"type\": \"String\"\n },\n \"sqlServerDataBaseName\": {\n \"type\": \"String\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"type\": \"String\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\n \"type\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments\",\n \"apiVersion\": \"2017-03-01-preview\",\n \"properties\": {\n \"storageContainerPath\": \"[[concat('https://', last( split(parameters('vulnerabilityAssessmentsStorageID') , '/') ) , '.blob.core.windows.net/vulneraabilitylogs')]\",\n \"storageAccountAccessKey\": \"[[listkeys(parameters('vulnerabilityAssessmentsStorageID'), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]\",\n \"recurringScans\": {\n \"isEnabled\": true,\n \"emailSubscriptionAdmins\": false,\n \"emails\": [\n \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n ]\n }\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"sqlServerName\": {\n \"value\": \"[[first(split(field('fullname'),'/'))]\"\n },\n \"sqlServerDataBaseName\": {\n \"value\": \"[[field('name')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n }\n }\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\",\n \"/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\"\n ]\n }\n }\n }\n }\n}\n", - "$fxv#101": "{\n \"name\": \"Deploy-Sql-vulnerabilityAssessments_20230706\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy SQL Database Vulnerability Assessments\",\n \"description\": \"Deploy SQL Database Vulnerability Assessments when it does not exist in the deployment, and save results to the storage account specified in the parameters.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-Sql-vulnerabilityAssessments\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"description\": \"The email address(es) to send alerts.\",\n \"displayName\": \"The email address(es) to send alerts.\"\n }\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"type\": \"String\",\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers/databases\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"count\": {\n \"field\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails[*]\",\n \"where\": {\n \"value\": \"current(Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails[*])\",\n \"notIn\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n }\n },\n \"greater\": 0\n },\n {\n \"field\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.isEnabled\",\n \"equals\": true\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"String\"\n },\n \"sqlServerName\": {\n \"type\": \"String\"\n },\n \"sqlServerDataBaseName\": {\n \"type\": \"String\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"type\": \"Array\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\n \"type\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments\",\n \"apiVersion\": \"2017-03-01-preview\",\n \"properties\": {\n \"storageContainerPath\": \"[[concat('https://', last( split(parameters('vulnerabilityAssessmentsStorageID') , '/') ) , '.blob.core.windows.net/vulneraabilitylogs')]\",\n \"storageAccountAccessKey\": \"[[listkeys(parameters('vulnerabilityAssessmentsStorageID'), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]\",\n \"recurringScans\": {\n \"isEnabled\": true,\n \"emailSubscriptionAdmins\": false,\n \"emails\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n }\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"sqlServerName\": {\n \"value\": \"[[first(split(field('fullname'),'/'))]\"\n },\n \"sqlServerDataBaseName\": {\n \"value\": \"[[field('name')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n }\n }\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\",\n \"/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\"\n ]\n }\n }\n }\n }\n}\n", - "$fxv#102": "{\n \"name\": \"Deploy-SqlMi-minTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"SQL managed instances deploy a specific min TLS version requirement.\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.3.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect SQL servers\",\n \"description\": \"Enable or disable the execution of the policy minimum TLS version SQL servers\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version for SQL server\",\n \"description\": \"Select version minimum TLS version SQL servers to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/managedInstances\"\n },\n {\n \"field\": \"Microsoft.Sql/managedInstances/minimalTlsVersion\",\n \"less\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/managedInstances\",\n \"evaluationDelay\": \"AfterProvisioningSuccess\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Sql/managedInstances/minimalTlsVersion\",\n \"equals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n },\n \"name\": \"current\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Sql/managedInstances\",\n \"apiVersion\": \"2020-02-02-preview\",\n \"name\": \"[[concat(parameters('resourceName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"minimalTlsVersion\": \"[[parameters('minimalTlsVersion')]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('minimalTlsVersion')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#103": "{\n \"name\": \"Deploy-Storage-sslEnforcement\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS \",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage.\",\n \"metadata\": {\n \"version\": \"1.3.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect Azure Storage\",\n \"description\": \"Enable or disable the execution of the policy minimum TLS version Azure STorage\"\n }\n },\n \"minimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select TLS version for Azure Storage server\",\n \"description\": \"Select version minimum TLS version Azure STorage to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\",\n \"notEquals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\n \"less\": \"[[parameters('minimumTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Storage/storageAccounts\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\n \"equals\": \"[[parameters('minimumTlsVersion')]\"\n }\n ]\n },\n \"name\": \"current\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"minimumTlsVersion\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Storage/storageAccounts\",\n \"apiVersion\": \"2019-06-01\",\n \"name\": \"[[concat(parameters('resourceName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"supportsHttpsTrafficOnly\": true,\n \"minimumTlsVersion\": \"[[parameters('minimumTlsVersion')]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('minimumTlsVersion')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#104": "{\n \"name\": \"Deploy-VNET-HubSpoke\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy Virtual Network with peering to the hub\",\n \"description\": \"This policy deploys virtual network and peer to the hub\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vNetName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"vNetName\",\n \"description\": \"Name of the landing zone vNet\"\n }\n },\n \"vNetRgName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"vNetRgName\",\n \"description\": \"Name of the landing zone vNet RG\"\n }\n },\n \"vNetLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"vNetLocation\",\n \"description\": \"Location for the vNet\"\n }\n },\n \"vNetCidrRange\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"vNetCidrRange\",\n \"description\": \"CIDR Range for the vNet\"\n }\n },\n \"hubResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"hubResourceId\",\n \"description\": \"Resource ID for the HUB vNet\"\n }\n },\n \"dnsServers\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"DNSServers\",\n \"description\": \"Default domain servers for the vNET.\"\n },\n \"defaultValue\": []\n },\n \"vNetPeerUseRemoteGateway\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"vNetPeerUseRemoteGateway\",\n \"description\": \"Enable gateway transit for the LZ network\"\n },\n \"defaultValue\": false\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"deployIfNotExists\",\n \"details\": {\n \"type\": \"Microsoft.Network/virtualNetworks\",\n \"name\": \"[[parameters('vNetName')]\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"resourceGroup\",\n \"ResourceGroupName\": \"[[parameters('vNetRgName')]\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"name\",\n \"like\": \"[[parameters('vNetName')]\"\n },\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('vNetLocation')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"vNetRgName\": {\n \"value\": \"[[parameters('vNetRgName')]\"\n },\n \"vNetName\": {\n \"value\": \"[[parameters('vNetName')]\"\n },\n \"vNetLocation\": {\n \"value\": \"[[parameters('vNetLocation')]\"\n },\n \"vNetCidrRange\": {\n \"value\": \"[[parameters('vNetCidrRange')]\"\n },\n \"hubResourceId\": {\n \"value\": \"[[parameters('hubResourceId')]\"\n },\n \"dnsServers\": {\n \"value\": \"[[parameters('dnsServers')]\"\n },\n \"vNetPeerUseRemoteGateway\": {\n \"value\": \"[[parameters('vNetPeerUseRemoteGateway')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"vNetRgName\": {\n \"type\": \"String\"\n },\n \"vNetName\": {\n \"type\": \"String\"\n },\n \"vNetLocation\": {\n \"type\": \"String\"\n },\n \"vNetCidrRange\": {\n \"type\": \"String\"\n },\n \"vNetPeerUseRemoteGateway\": {\n \"type\": \"bool\",\n \"defaultValue\": false\n },\n \"hubResourceId\": {\n \"type\": \"String\"\n },\n \"dnsServers\": {\n \"type\": \"Array\",\n \"defaultValue\": []\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"[[concat('alz-vnet-rg-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]\",\n \"location\": \"[[parameters('vNetLocation')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {},\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"[[parameters('vNetRgName')]\",\n \"location\": \"[[parameters('vNetLocation')]\",\n \"properties\": {}\n }\n ],\n \"outputs\": {}\n }\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"[[concat('alz-vnet-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]\",\n \"dependsOn\": [\n \"[[concat('alz-vnet-rg-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {},\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/virtualNetworks\",\n \"apiVersion\": \"2021-02-01\",\n \"name\": \"[[parameters('vNetName')]\",\n \"location\": \"[[parameters('vNetLocation')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"addressSpace\": {\n \"addressPrefixes\": [\n \"[[parameters('vNetCidrRange')]\"\n ]\n },\n \"dhcpOptions\": {\n \"dnsServers\": \"[[parameters('dnsServers')]\"\n }\n }\n },\n {\n \"type\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\",\n \"apiVersion\": \"2021-02-01\",\n \"name\": \"[[concat(parameters('vNetName'), '/peerToHub')]\",\n \"dependsOn\": [\n \"[[parameters('vNetName')]\"\n ],\n \"properties\": {\n \"remoteVirtualNetwork\": {\n \"id\": \"[[parameters('hubResourceId')]\"\n },\n \"allowVirtualNetworkAccess\": true,\n \"allowForwardedTraffic\": true,\n \"allowGatewayTransit\": false,\n \"useRemoteGateways\": \"[[parameters('vNetPeerUseRemoteGateway')]\"\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"[[concat('alz-hub-peering-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]\",\n \"subscriptionId\": \"[[split(parameters('hubResourceId'),'/')[2]]\",\n \"resourceGroup\": \"[[split(parameters('hubResourceId'),'/')[4]]\",\n \"dependsOn\": [\n \"[[parameters('vNetName')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"remoteVirtualNetwork\": {\n \"type\": \"String\",\n \"defaultValue\": false\n },\n \"hubName\": {\n \"type\": \"String\",\n \"defaultValue\": false\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\",\n \"name\": \"[[[concat(parameters('hubName'),'/',last(split(parameters('remoteVirtualNetwork'),'/')))]\",\n \"apiVersion\": \"2021-02-01\",\n \"properties\": {\n \"allowVirtualNetworkAccess\": true,\n \"allowForwardedTraffic\": true,\n \"allowGatewayTransit\": true,\n \"useRemoteGateways\": false,\n \"remoteVirtualNetwork\": {\n \"id\": \"[[[parameters('remoteVirtualNetwork')]\"\n }\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"remoteVirtualNetwork\": {\n \"value\": \"[[concat(subscription().id,'/resourceGroups/',parameters('vNetRgName'), '/providers/','Microsoft.Network/virtualNetworks/', parameters('vNetName'))]\"\n },\n \"hubName\": {\n \"value\": \"[[split(parameters('hubResourceId'),'/')[8]]\"\n }\n }\n }\n }\n ],\n \"outputs\": {}\n }\n },\n \"resourceGroup\": \"[[parameters('vNetRgName')]\"\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#105": "{\n \"name\": \"Deploy-Vm-autoShutdown\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Virtual Machine Auto Shutdown Schedule\",\n \"description\": \"Deploys an auto shutdown schedule to a virtual machine\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Compute\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"time\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Scheduled Shutdown Time\",\n \"description\": \"Daily Scheduled shutdown time. i.e. 2300 = 11:00 PM\"\n },\n \"defaultValue\": \"0000\"\n },\n \"timeZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"UTC\",\n \"metadata\": {\n \"displayName\": \"Time zone\",\n \"description\": \"The time zone ID (e.g. Pacific Standard time).\"\n }\n },\n \"EnableNotification\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"metadata\": {\n \"displayName\": \"Send Notification before auto-shutdown\",\n \"description\": \"If notifications are enabled for this schedule (i.e. Enabled, Disabled).\"\n },\n \"allowedValues\": [\n \"Disabled\",\n \"Enabled\"\n ]\n },\n \"NotificationEmailRecipient\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Email Address\",\n \"description\": \"Email address to be used for notification\"\n }\n },\n \"NotificationWebhookUrl\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Webhook URL\",\n \"description\": \"A notification will be posted to the specified webhook endpoint when the auto-shutdown is about to happen.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n \"then\": {\n \"effect\": \"deployIfNotExists\",\n \"details\": {\n \"type\": \"Microsoft.DevTestLab/schedules\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.DevTestLab/schedules/taskType\",\n \"equals\": \"ComputeVmShutdownTask\"\n },\n {\n \"field\": \"Microsoft.DevTestLab/schedules/targetResourceId\",\n \"equals\": \"[[concat(resourceGroup().id,'/providers/Microsoft.Compute/virtualMachines/',field('name'))]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"vmName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n },\n \"time\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"Daily Scheduled shutdown time. i.e. 2300 = 11:00 PM\"\n }\n },\n \"timeZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"The time zone ID (e.g. Pacific Standard time).\"\n }\n },\n \"EnableNotification\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"If notifications are enabled for this schedule (i.e. Enabled, Disabled).\"\n }\n },\n \"NotificationEmailRecipient\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"Email address to be used for notification\"\n }\n },\n \"NotificationWebhookUrl\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"A notification will be posted to the specified webhook endpoint when the auto-shutdown is about to happen.\"\n }\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat('shutdown-computevm-',parameters('vmName'))]\",\n \"type\": \"Microsoft.DevTestLab/schedules\",\n \"location\": \"[[parameters('location')]\",\n \"apiVersion\": \"2018-09-15\",\n \"properties\": {\n \"status\": \"Enabled\",\n \"taskType\": \"ComputeVmShutdownTask\",\n \"dailyRecurrence\": {\n \"time\": \"[[parameters('time')]\"\n },\n \"timeZoneId\": \"[[parameters('timeZoneId')]\",\n \"notificationSettings\": {\n \"status\": \"[[parameters('EnableNotification')]\",\n \"timeInMinutes\": 30,\n \"webhookUrl\": \"[[parameters('NotificationWebhookUrl')]\",\n \"emailRecipient\": \"[[parameters('NotificationEmailRecipient')]\",\n \"notificationLocale\": \"en\"\n },\n \"targetResourceId\": \"[[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"time\": {\n \"value\": \"[[parameters('time')]\"\n },\n \"timeZoneId\": {\n \"value\": \"[[parameters('timeZoneId')]\"\n },\n \"EnableNotification\": {\n \"value\": \"[[parameters('EnableNotification')]\"\n },\n \"NotificationEmailRecipient\": {\n \"value\": \"[[parameters('NotificationEmailRecipient')]\"\n },\n \"NotificationWebhookUrl\": {\n \"value\": \"[[parameters('NotificationWebhookUrl')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#106": "{\n \"name\": \"Deploy-Windows-DomainJoin\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Windows Domain Join Extension with keyvault configuration\",\n \"description\": \"Deploy Windows Domain Join Extension with keyvault configuration when the extension does not exist on a given windows Virtual Machine\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Guest Configuration\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"domainUsername\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"domainUsername\"\n }\n },\n \"domainPassword\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"domainPassword\"\n }\n },\n \"domainFQDN\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"domainFQDN\"\n }\n },\n \"domainOUPath\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"domainOUPath\"\n }\n },\n \"keyVaultResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"keyVaultResourceId\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n {\n \"field\": \"Microsoft.Compute/imagePublisher\",\n \"equals\": \"MicrosoftWindowsServer\"\n },\n {\n \"field\": \"Microsoft.Compute/imageOffer\",\n \"equals\": \"WindowsServer\"\n },\n {\n \"field\": \"Microsoft.Compute/imageSKU\",\n \"in\": [\n \"2008-R2-SP1\",\n \"2008-R2-SP1-smalldisk\",\n \"2008-R2-SP1-zhcn\",\n \"2012-Datacenter\",\n \"2012-datacenter-gensecond\",\n \"2012-Datacenter-smalldisk\",\n \"2012-datacenter-smalldisk-g2\",\n \"2012-Datacenter-zhcn\",\n \"2012-datacenter-zhcn-g2\",\n \"2012-R2-Datacenter\",\n \"2012-r2-datacenter-gensecond\",\n \"2012-R2-Datacenter-smalldisk\",\n \"2012-r2-datacenter-smalldisk-g2\",\n \"2012-R2-Datacenter-zhcn\",\n \"2012-r2-datacenter-zhcn-g2\",\n \"2016-Datacenter\",\n \"2016-datacenter-gensecond\",\n \"2016-datacenter-gs\",\n \"2016-Datacenter-Server-Core\",\n \"2016-datacenter-server-core-g2\",\n \"2016-Datacenter-Server-Core-smalldisk\",\n \"2016-datacenter-server-core-smalldisk-g2\",\n \"2016-Datacenter-smalldisk\",\n \"2016-datacenter-smalldisk-g2\",\n \"2016-Datacenter-with-Containers\",\n \"2016-datacenter-with-containers-g2\",\n \"2016-Datacenter-with-RDSH\",\n \"2016-Datacenter-zhcn\",\n \"2016-datacenter-zhcn-g2\",\n \"2019-Datacenter\",\n \"2019-Datacenter-Core\",\n \"2019-datacenter-core-g2\",\n \"2019-Datacenter-Core-smalldisk\",\n \"2019-datacenter-core-smalldisk-g2\",\n \"2019-Datacenter-Core-with-Containers\",\n \"2019-datacenter-core-with-containers-g2\",\n \"2019-Datacenter-Core-with-Containers-smalldisk\",\n \"2019-datacenter-core-with-containers-smalldisk-g2\",\n \"2019-datacenter-gensecond\",\n \"2019-datacenter-gs\",\n \"2019-Datacenter-smalldisk\",\n \"2019-datacenter-smalldisk-g2\",\n \"2019-Datacenter-with-Containers\",\n \"2019-datacenter-with-containers-g2\",\n \"2019-Datacenter-with-Containers-smalldisk\",\n \"2019-datacenter-with-containers-smalldisk-g2\",\n \"2019-Datacenter-zhcn\",\n \"2019-datacenter-zhcn-g2\",\n \"Datacenter-Core-1803-with-Containers-smalldisk\",\n \"datacenter-core-1803-with-containers-smalldisk-g2\",\n \"Datacenter-Core-1809-with-Containers-smalldisk\",\n \"datacenter-core-1809-with-containers-smalldisk-g2\",\n \"Datacenter-Core-1903-with-Containers-smalldisk\",\n \"datacenter-core-1903-with-containers-smalldisk-g2\",\n \"datacenter-core-1909-with-containers-smalldisk\",\n \"datacenter-core-1909-with-containers-smalldisk-g1\",\n \"datacenter-core-1909-with-containers-smalldisk-g2\"\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/type\",\n \"equals\": \"JsonADDomainExtension\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/publisher\",\n \"equals\": \"Microsoft.Compute\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"domainUsername\": {\n \"reference\": {\n \"keyVault\": {\n \"id\": \"[[parameters('keyVaultResourceId')]\"\n },\n \"secretName\": \"[[parameters('domainUsername')]\"\n }\n },\n \"domainPassword\": {\n \"reference\": {\n \"keyVault\": {\n \"id\": \"[[parameters('keyVaultResourceId')]\"\n },\n \"secretName\": \"[[parameters('domainPassword')]\"\n }\n },\n \"domainOUPath\": {\n \"value\": \"[[parameters('domainOUPath')]\"\n },\n \"domainFQDN\": {\n \"value\": \"[[parameters('domainFQDN')]\"\n },\n \"keyVaultResourceId\": {\n \"value\": \"[[parameters('keyVaultResourceId')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"vmName\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"domainUsername\": {\n \"type\": \"String\"\n },\n \"domainPassword\": {\n \"type\": \"securestring\"\n },\n \"domainFQDN\": {\n \"type\": \"String\"\n },\n \"domainOUPath\": {\n \"type\": \"String\"\n },\n \"keyVaultResourceId\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {\n \"domainJoinOptions\": 3,\n \"vmName\": \"[[parameters('vmName')]\"\n },\n \"resources\": [\n {\n \"apiVersion\": \"2015-06-15\",\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"name\": \"[[concat(variables('vmName'),'/joindomain')]\",\n \"location\": \"[[resourceGroup().location]\",\n \"properties\": {\n \"publisher\": \"Microsoft.Compute\",\n \"type\": \"JsonADDomainExtension\",\n \"typeHandlerVersion\": \"1.3\",\n \"autoUpgradeMinorVersion\": true,\n \"settings\": {\n \"Name\": \"[[parameters('domainFQDN')]\",\n \"User\": \"[[parameters('domainUserName')]\",\n \"Restart\": \"true\",\n \"Options\": \"[[variables('domainJoinOptions')]\",\n \"OUPath\": \"[[parameters('domainOUPath')]\"\n },\n \"protectedSettings\": {\n \"Password\": \"[[parameters('domainPassword')]\"\n }\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#107": "{\n \"name\": \"Deploy-Diagnostics-VWanS2SVPNGW\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for VWAN S2S VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN Gateway to stream to a Log Analytics workspace when any VWAN S2S VPN Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/vpnGateways\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/vpnGateways/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"GatewayDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"IKEDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"RouteDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"TunnelDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#108": "{\n \"name\": \"Audit-PrivateLinkDnsZones\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null, \n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Audit or Deny the creation of Private Link Private DNS Zones\",\n \"description\": \"This policy audits or denies, depending on assignment effect, the creation of a Private Link Private DNS Zones in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription\",\n \"metadata\": {\n \"version\": \"1.0.2\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"privateLinkDnsZones\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Private Link Private DNS Zones\",\n \"description\": \"An array of Private Link Private DNS Zones to check for the existence of in the assigned scope.\"\n },\n \"defaultValue\": [\n \"privatelink.adf.azure.com\",\n \"privatelink.afs.azure.net\",\n \"privatelink.agentsvc.azure-automation.net\",\n \"privatelink.analysis.windows.net\",\n \"privatelink.api.azureml.ms\",\n \"privatelink.azconfig.io\",\n \"privatelink.azure-api.net\",\n \"privatelink.azure-automation.net\",\n \"privatelink.azurecr.io\",\n \"privatelink.azure-devices.net\",\n \"privatelink.azure-devices-provisioning.net\",\n \"privatelink.azuredatabricks.net\",\n \"privatelink.azurehdinsight.net\",\n \"privatelink.azurehealthcareapis.com\",\n \"privatelink.azurestaticapps.net\",\n \"privatelink.azuresynapse.net\",\n \"privatelink.azurewebsites.net\",\n \"privatelink.batch.azure.com\",\n \"privatelink.blob.core.windows.net\",\n \"privatelink.cassandra.cosmos.azure.com\",\n \"privatelink.cognitiveservices.azure.com\",\n \"privatelink.database.windows.net\",\n \"privatelink.datafactory.azure.net\",\n \"privatelink.dev.azuresynapse.net\",\n \"privatelink.dfs.core.windows.net\",\n \"privatelink.dicom.azurehealthcareapis.com\",\n \"privatelink.digitaltwins.azure.net\",\n \"privatelink.directline.botframework.com\",\n \"privatelink.documents.azure.com\",\n \"privatelink.eventgrid.azure.net\",\n \"privatelink.file.core.windows.net\",\n \"privatelink.gremlin.cosmos.azure.com\",\n \"privatelink.guestconfiguration.azure.com\",\n \"privatelink.his.arc.azure.com\",\n \"privatelink.kubernetesconfiguration.azure.com\",\n \"privatelink.managedhsm.azure.net\",\n \"privatelink.mariadb.database.azure.com\",\n \"privatelink.media.azure.net\",\n \"privatelink.mongo.cosmos.azure.com\",\n \"privatelink.monitor.azure.com\",\n \"privatelink.mysql.database.azure.com\",\n \"privatelink.notebooks.azure.net\",\n \"privatelink.ods.opinsights.azure.com\",\n \"privatelink.oms.opinsights.azure.com\",\n \"privatelink.pbidedicated.windows.net\",\n \"privatelink.postgres.database.azure.com\",\n \"privatelink.prod.migration.windowsazure.com\",\n \"privatelink.purview.azure.com\",\n \"privatelink.purviewstudio.azure.com\",\n \"privatelink.queue.core.windows.net\",\n \"privatelink.redis.cache.windows.net\",\n \"privatelink.redisenterprise.cache.azure.net\",\n \"privatelink.search.windows.net\",\n \"privatelink.service.signalr.net\",\n \"privatelink.servicebus.windows.net\",\n \"privatelink.siterecovery.windowsazure.com\",\n \"privatelink.sql.azuresynapse.net\",\n \"privatelink.table.core.windows.net\",\n \"privatelink.table.cosmos.azure.com\",\n \"privatelink.tip1.powerquery.microsoft.com\",\n \"privatelink.token.botframework.com\",\n \"privatelink.vaultcore.azure.net\",\n \"privatelink.web.core.windows.net\",\n \"privatelink.webpubsub.azure.com\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateDnsZones\"\n },\n {\n \"field\": \"name\",\n \"in\": \"[[parameters('privateLinkDnsZones')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#109": "{\n \"name\": \"DenyAction-DiagnosticLogs\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"DenyAction implementation on Diagnostic Logs.\",\n \"description\": \"DenyAction implementation on Diagnostic Logs.\",\n \"metadata\": {\n \"deprecated\": false,\n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Insights/diagnosticSettings\"\n },\n \"then\": {\n \"effect\": \"denyAction\",\n \"details\": {\n \"actionNames\": [\n \"delete\"\n ]\n }\n }\n }\n }\n}", - "$fxv#11": "{\n \"name\": \"Deny-AppServiceFunctionApp-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Function App should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"like\": \"functionapp*\"\n },\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"equals\": \"false\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#110": "{\n \"name\": \"DenyAction-ActivityLogs\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"DenyAction implementation on Activity Logs\",\n \"description\": \"This is a DenyAction implementation policy on Activity Logs.\",\n \"metadata\": {\n \"deprecated\": false, \n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions/providers/diagnosticSettings\"\n },\n \"then\": {\n \"effect\": \"denyAction\",\n \"details\": {\n \"actionNames\": [\n \"delete\"\n ]\n }\n }\n }\n }\n}", - "$fxv#111": "{\n \"name\": \"Deploy-UserAssignedManagedIdentity-VMInsights\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"displayName\": \"[Deprecated]: Deploy User Assigned Managed Identity for VM Insights\",\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"description\": \"Policy is deprecated as it's no longer required. User-Assigned Management Identity is now centralized and deployed by Azure Landing Zones to the Management Subscription.\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Managed Identity\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"bringYourOwnUserAssignedManagedIdentity\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Bring Your Own User-Assigned Identity\",\n \"description\": \"Enable this to use your pre-created user-assigned managed identity. The pre-created identity MUST exist within the subscription otherwise the policy deployment will fail. If enabled, ensure that the User-Assigned Identity Name and Identity Resource Group Name parameters match the pre-created identity. If not enabled, the policy will create per subscription, per resource user-assigned managed identities in a new resource group named 'Built-In-Identity-RG'.\"\n },\n \"allowedValues\": [\n true,\n false\n ]\n },\n \"userAssignedIdentityName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User-Assigned Managed Identity Name\",\n \"description\": \"The name of the pre-created user-assigned managed identity.\"\n },\n \"defaultValue\": \"\"\n },\n \"identityResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User-Assigned Managed Identity Resource Group Name\",\n \"description\": \"The resource group in which the pre-created user-assigned managed identity resides.\"\n },\n \"defaultValue\": \"\"\n },\n \"builtInIdentityResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Built-In-Identity-RG Location\",\n \"description\": \"The location of the resource group 'Built-In-Identity-RG' created by the policy. This parameter is only used when 'Bring Your Own User Assigned Identity' parameter is false.\"\n },\n \"defaultValue\": \"eastus\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Policy Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match.\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n {\n \"value\": \"[[requestContext().apiVersion]\",\n \"greaterOrEquals\": \"2018-10-01\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Compute/virtualMachines\",\n \"name\": \"[[field('name')]\",\n \"evaluationDelay\": \"AfterProvisioning\",\n \"deploymentScope\": \"subscription\",\n \"existenceCondition\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"field\": \"identity.type\",\n \"contains\": \"UserAssigned\"\n },\n {\n \"field\": \"identity.userAssignedIdentities\",\n \"containsKey\": \"[[if(parameters('bringYourOwnUserAssignedManagedIdentity'), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('userAssignedIdentityName'))), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/Built-In-Identity-RG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/Built-In-Identity-', field('location')))]\"\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"identity.type\",\n \"equals\": \"UserAssigned\"\n },\n {\n \"value\": \"[[string(length(field('identity.userAssignedIdentities')))]\",\n \"equals\": \"1\"\n }\n ]\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"location\": \"eastus\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"bringYourOwnUserAssignedManagedIdentity\": {\n \"value\": \"[[parameters('bringYourOwnUserAssignedManagedIdentity')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"uaName\": {\n \"value\": \"[[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('userAssignedIdentityName'), 'Built-In-Identity')]\"\n },\n \"identityResourceGroup\": {\n \"value\": \"[[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('identityResourceGroup'), 'Built-In-Identity-RG')]\"\n },\n \"builtInIdentityResourceGroupLocation\": {\n \"value\": \"[[parameters('builtInIdentityResourceGroupLocation')]\"\n },\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"vmResourceGroup\": {\n \"value\": \"[[resourceGroup().name]\"\n },\n \"resourceId\": {\n \"value\": \"[[field('id')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.1\",\n \"parameters\": {\n \"bringYourOwnUserAssignedManagedIdentity\": {\n \"type\": \"bool\"\n },\n \"location\": {\n \"type\": \"string\"\n },\n \"uaName\": {\n \"type\": \"string\"\n },\n \"identityResourceGroup\": {\n \"type\": \"string\"\n },\n \"builtInIdentityResourceGroupLocation\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n },\n \"vmResourceGroup\": {\n \"type\": \"string\"\n },\n \"resourceId\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {\n \"uaNameWithLocation\": \"[[concat(parameters('uaName'),'-', parameters('location'))]\",\n \"precreatedUaId\": \"[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')))]\",\n \"autocreatedUaId\": \"[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')), '-', parameters('location'))]\",\n \"deployUALockName\": \"[[concat('deployUALock-', uniqueString(deployment().name))]\",\n \"deployUAName\": \"[[concat('deployUA-', uniqueString(deployment().name))]\",\n \"deployGetResourceProperties\": \"[[concat('deployGetResourceProperties-', uniqueString(deployment().name))]\",\n \"deployAssignUAName\": \"[[concat('deployAssignUA-', uniqueString(deployment().name))]\"\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"apiVersion\": \"2020-06-01\",\n \"name\": \"[[parameters('identityResourceGroup')]\",\n \"location\": \"[[parameters('builtInIdentityResourceGroupLocation')]\"\n },\n {\n \"condition\": \"[[parameters('bringYourOwnUserAssignedManagedIdentity')]\",\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2020-06-01\",\n \"name\": \"[[variables('deployUALockName')]\",\n \"resourceGroup\": \"[[parameters('identityResourceGroup')]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"uaName\": {\n \"value\": \"[[parameters('uaName')]\"\n },\n \"location\": {\n \"value\": \"[[parameters('location')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"uaName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.ManagedIdentity/userAssignedIdentities\",\n \"name\": \"[[parameters('uaName')]\",\n \"apiVersion\": \"2018-11-30\",\n \"location\": \"[[parameters('location')]\"\n }\n ]\n }\n }\n },\n {\n \"condition\": \"[[not(parameters('bringYourOwnUserAssignedManagedIdentity'))]\",\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2020-06-01\",\n \"name\": \"[[variables('deployUAName')]\",\n \"resourceGroup\": \"[[parameters('identityResourceGroup')]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"uaName\": {\n \"value\": \"[[variables('uaNameWithLocation')]\"\n },\n \"location\": {\n \"value\": \"[[parameters('location')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"uaName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.ManagedIdentity/userAssignedIdentities\",\n \"name\": \"[[parameters('uaName')]\",\n \"apiVersion\": \"2018-11-30\",\n \"location\": \"[[parameters('location')]\"\n },\n {\n \"type\": \"Microsoft.ManagedIdentity/userAssignedIdentities/providers/locks\",\n \"apiVersion\": \"2016-09-01\",\n \"name\": \"[[concat(parameters('uaName'), '/Microsoft.Authorization/', 'CanNotDeleteLock-', parameters('uaName'))]\",\n \"dependsOn\": [\n \"[[parameters('uaName')]\"\n ],\n \"properties\": {\n \"level\": \"CanNotDelete\",\n \"notes\": \"Please do not delete this User-Assigned Identity since extensions enabled by Azure Policy are relying on their existence.\"\n }\n }\n ]\n }\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2020-06-01\",\n \"name\": \"[[variables('deployGetResourceProperties')]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]\",\n \"[[variables('deployUAName')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"resources\": [],\n \"outputs\": {\n \"resource\": {\n \"type\": \"object\",\n \"value\": \"[[reference(parameters('resourceId'), '2019-07-01', 'Full')]\"\n }\n }\n }\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2020-06-01\",\n \"name\": \"[[concat(variables('deployAssignUAName'))]\",\n \"resourceGroup\": \"[[parameters('vmResourceGroup')]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]\",\n \"[[variables('deployUAName')]\",\n \"[[variables('deployGetResourceProperties')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"uaId\": {\n \"value\": \"[[if(parameters('bringYourOwnUserAssignedManagedIdentity'), variables('precreatedUaId'), variables('autocreatedUaId'))]\"\n },\n \"vmName\": {\n \"value\": \"[[parameters('vmName')]\"\n },\n \"location\": {\n \"value\": \"[[parameters('location')]\"\n },\n \"identityType\": {\n \"value\": \"[[if(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.type, '')]\"\n },\n \"userAssignedIdentities\": {\n \"value\": \"[[if(and(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), contains(reference(variables('deployGetResourceProperties')).outputs.resource.value.identity, 'userAssignedIdentities')), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.userAssignedIdentities, createObject())]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"uaId\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n },\n \"identityType\": {\n \"type\": \"string\"\n },\n \"userAssignedIdentities\": {\n \"type\": \"object\"\n }\n },\n \"variables\": {\n \"identityTypeValue\": \"[[if(contains(parameters('identityType'), 'SystemAssigned'), 'SystemAssigned,UserAssigned', 'UserAssigned')]\",\n \"userAssignedIdentitiesValue\": \"[[union(parameters('userAssignedIdentities'), createObject(parameters('uaId'), createObject()))]\",\n \"resourceWithSingleUAI\": \"[[and(equals(parameters('identityType'), 'UserAssigned'), equals(string(length(parameters('userAssignedIdentities'))), '1'))]\"\n },\n \"resources\": [\n {\n \"condition\": \"[[not(variables('resourceWithSingleUAI'))]\",\n \"apiVersion\": \"2019-07-01\",\n \"type\": \"Microsoft.Compute/virtualMachines\",\n \"name\": \"[[parameters('vmName')]\",\n \"location\": \"[[parameters('location')]\",\n \"identity\": {\n \"type\": \"[[variables('identityTypeValue')]\",\n \"userAssignedIdentities\": \"[[variables('userAssignedIdentitiesValue')]\"\n }\n }\n ]\n }\n }\n }\n ]\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#112": "{\n \"name\": \"Deploy-MDFC-Arc-SQL-DCR-Association\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Configure Arc-enabled SQL Servers with DCR Association to Microsoft Defender for SQL user-defined DCR\",\n \"description\": \"Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/2227e1f1-23dd-4c3a-85a9-7024a401d8b2.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"2227e1f1-23dd-4c3a-85a9-7024a401d8b2\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.HybridCompute/machines\"\n },\n {\n \"field\": \"Microsoft.HybridCompute/machines/osName\",\n \"equals\": \"Windows\"\n },\n {\n \"field\": \"Microsoft.HybridCompute/machines/mssqlDiscovered\",\n \"equals\": \"true\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/dataCollectionRuleAssociations\",\n \"name\": \"MicrosoftDefenderForSQL-RulesAssociation\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceGroup\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n },\n \"workspaceRegion\": {\n \"type\": \"string\"\n },\n \"dcrName\": {\n \"type\": \"string\"\n },\n \"dcrResourceGroup\": {\n \"type\": \"string\"\n },\n \"dcrId\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {\n \"locationLongNameToShortMap\": {\n \"australiacentral\": \"CAU\",\n \"australiaeast\": \"EAU\",\n \"australiasoutheast\": \"SEAU\",\n \"brazilsouth\": \"CQ\",\n \"canadacentral\": \"CCA\",\n \"canadaeast\": \"CCA\",\n \"centralindia\": \"CIN\",\n \"centralus\": \"CUS\",\n \"eastasia\": \"EA\",\n \"eastus2euap\": \"eus2p\",\n \"eastus\": \"EUS\",\n \"eastus2\": \"EUS2\",\n \"francecentral\": \"PAR\",\n \"germanywestcentral\": \"DEWC\",\n \"japaneast\": \"EJP\",\n \"jioindiawest\": \"CIN\",\n \"koreacentral\": \"SE\",\n \"koreasouth\": \"SE\",\n \"northcentralus\": \"NCUS\",\n \"northeurope\": \"NEU\",\n \"norwayeast\": \"NOE\",\n \"southafricanorth\": \"JNB\",\n \"southcentralus\": \"SCUS\",\n \"southeastasia\": \"SEA\",\n \"southindia\": \"CIN\",\n \"swedencentral\": \"SEC\",\n \"switzerlandnorth\": \"CHN\",\n \"switzerlandwest\": \"CHW\",\n \"uaenorth\": \"DXB\",\n \"uksouth\": \"SUK\",\n \"ukwest\": \"WUK\",\n \"westcentralus\": \"WCUS\",\n \"westeurope\": \"WEU\",\n \"westindia\": \"CIN\",\n \"westus\": \"WUS\",\n \"westus2\": \"WUS2\"\n },\n \"locationCode\": \"[[if(contains(variables('locationLongNameToShortMap'), parameters('workspaceRegion')), variables('locationLongNameToShortMap')[parameters('workspaceRegion')], parameters('workspaceRegion'))]\",\n \"subscriptionId\": \"[[subscription().subscriptionId]\",\n \"defaultRGName\": \"[[parameters('resourceGroup')]\",\n \"dcrName\": \"[[parameters('dcrName')]\",\n \"dcrId\": \"[[parameters('dcrId')]\",\n \"dcraName\": \"[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]\"\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.HybridCompute/machines/providers/dataCollectionRuleAssociations\",\n \"name\": \"[[variables('dcraName')]\",\n \"apiVersion\": \"2021-04-01\",\n \"properties\": {\n \"description\": \"Configure association between Arc-enabled SQL Server and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Server.\",\n \"dataCollectionRuleId\": \"[[variables('dcrId')]\"\n }\n }\n ]\n },\n \"parameters\": {\n \"resourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#113": "{\n \"name\": \"Deploy-MDFC-Arc-Sql-DefenderSQL-DCR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Configure Arc-enabled SQL Servers to auto install Microsoft Defender for SQL and DCR with a user-defined LAW\",\n \"description\": \"Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/63d03cbd-47fd-4ee1-8a1c-9ddf07303de0.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"63d03cbd-47fd-4ee1-8a1c-9ddf07303de0\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace Resource Id\",\n \"description\": \"Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable collection of SQL queries for security research\",\n \"description\": \"Enable or disable the collection of SQL queries for security research.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.HybridCompute/machines\"\n },\n {\n \"field\": \"Microsoft.HybridCompute/machines/osName\",\n \"equals\": \"Windows\"\n },\n {\n \"field\": \"Microsoft.HybridCompute/machines/mssqlDiscovered\",\n \"equals\": \"true\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/dataCollectionRules\",\n \"deploymentScope\": \"subscription\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('workspaceRegion')]\"\n },\n {\n \"field\": \"name\",\n \"equals\": \"[[parameters('dcrName')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"eastus\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceGroup\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"string\"\n },\n \"workspaceRegion\": {\n \"type\": \"string\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"bool\"\n },\n \"dcrName\": {\n \"type\": \"string\"\n },\n \"dcrResourceGroup\": {\n \"type\": \"string\"\n },\n \"dcrId\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {\n \"locationLongNameToShortMap\": {\n \"australiacentral\": \"CAU\",\n \"australiaeast\": \"EAU\",\n \"australiasoutheast\": \"SEAU\",\n \"brazilsouth\": \"CQ\",\n \"canadacentral\": \"CCA\",\n \"canadaeast\": \"CCA\",\n \"centralindia\": \"CIN\",\n \"centralus\": \"CUS\",\n \"eastasia\": \"EA\",\n \"eastus2euap\": \"eus2p\",\n \"eastus\": \"EUS\",\n \"eastus2\": \"EUS2\",\n \"francecentral\": \"PAR\",\n \"germanywestcentral\": \"DEWC\",\n \"japaneast\": \"EJP\",\n \"jioindiawest\": \"CIN\",\n \"koreacentral\": \"SE\",\n \"koreasouth\": \"SE\",\n \"northcentralus\": \"NCUS\",\n \"northeurope\": \"NEU\",\n \"norwayeast\": \"NOE\",\n \"southafricanorth\": \"JNB\",\n \"southcentralus\": \"SCUS\",\n \"southeastasia\": \"SEA\",\n \"southindia\": \"CIN\",\n \"swedencentral\": \"SEC\",\n \"switzerlandnorth\": \"CHN\",\n \"switzerlandwest\": \"CHW\",\n \"uaenorth\": \"DXB\",\n \"uksouth\": \"SUK\",\n \"ukwest\": \"WUK\",\n \"westcentralus\": \"WCUS\",\n \"westeurope\": \"WEU\",\n \"westindia\": \"CIN\",\n \"westus\": \"WUS\",\n \"westus2\": \"WUS2\"\n },\n \"locationCode\": \"[[if(contains(variables('locationLongNameToShortMap'), parameters('workspaceRegion')), variables('locationLongNameToShortMap')[parameters('workspaceRegion')], parameters('workspaceRegion'))]\",\n \"subscriptionId\": \"[[subscription().subscriptionId]\",\n \"defaultRGName\": \"[[parameters('resourceGroup')]\",\n \"defaultRGLocation\": \"[[parameters('workspaceRegion')]\",\n \"dcrName\": \"[[parameters('dcrName')]\",\n \"dcrId\": \"[[parameters('dcrId')]\",\n \"dcraName\": \"[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]\",\n \"deployDataCollectionRules\": \"[[concat('deployDataCollectionRules-', uniqueString(deployment().name))]\",\n \"deployDataCollectionRulesAssociation\": \"[[concat('deployDataCollectionRulesAssociation-', uniqueString(deployment().name))]\"\n },\n \"resources\": [\n {\n \"condition\": \"[[empty(parameters('dcrResourceGroup'))]\",\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"name\": \"[[variables('defaultRGName')]\",\n \"apiVersion\": \"2022-09-01\",\n \"location\": \"[[variables('defaultRGLocation')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n }\n },\n {\n \"condition\": \"[[empty(parameters('dcrId'))]\",\n \"type\": \"Microsoft.Resources/deployments\",\n \"name\": \"[[variables('deployDataCollectionRules')]\",\n \"apiVersion\": \"2022-09-01\",\n \"resourceGroup\": \"[[variables('defaultRGName')]\",\n \"dependsOn\": [\n \"[[variables('defaultRGName')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"defaultRGLocation\": {\n \"value\": \"[[variables('defaultRGLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"dcrName\": {\n \"value\": \"[[variables('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[variables('dcrId')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"defaultRGLocation\": {\n \"type\": \"string\"\n },\n \"workspaceResourceId\": {\n \"type\": \"string\"\n },\n \"dcrName\": {\n \"type\": \"string\"\n },\n \"dcrId\": {\n \"type\": \"string\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"bool\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Insights/dataCollectionRules\",\n \"name\": \"[[parameters('dcrName')]\",\n \"apiVersion\": \"2021-04-01\",\n \"location\": \"[[parameters('defaultRGLocation')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n },\n \"properties\": {\n \"description\": \"Data collection rule for Microsoft Defender for SQL. Deleting this rule will break the detection of security vulnerabilities.\",\n \"dataSources\": {\n \"extensions\": [\n {\n \"extensionName\": \"MicrosoftDefenderForSQL\",\n \"name\": \"MicrosoftDefenderForSQL\",\n \"streams\": [\n \"Microsoft-DefenderForSqlAlerts\",\n \"Microsoft-DefenderForSqlLogins\",\n \"Microsoft-DefenderForSqlTelemetry\",\n \"Microsoft-DefenderForSqlScanEvents\",\n \"Microsoft-DefenderForSqlScanResults\"\n ],\n \"extensionSettings\": {\n \"enableCollectionOfSqlQueriesForSecurityResearch\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n }\n }\n ]\n },\n \"destinations\": {\n \"logAnalytics\": [\n {\n \"workspaceResourceId\": \"[[parameters('workspaceResourceId')]\",\n \"name\": \"LogAnalyticsDest\"\n }\n ]\n },\n \"dataFlows\": [\n {\n \"streams\": [\n \"Microsoft-DefenderForSqlAlerts\",\n \"Microsoft-DefenderForSqlLogins\",\n \"Microsoft-DefenderForSqlTelemetry\",\n \"Microsoft-DefenderForSqlScanEvents\",\n \"Microsoft-DefenderForSqlScanResults\"\n ],\n \"destinations\": [\n \"LogAnalyticsDest\"\n ]\n }\n ]\n }\n }\n ]\n }\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"name\": \"[[variables('deployDataCollectionRulesAssociation')]\",\n \"apiVersion\": \"2022-09-01\",\n \"resourceGroup\": \"[[parameters('resourceGroup')]\",\n \"dependsOn\": [\n \"[[variables('deployDataCollectionRules')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"dcrId\": {\n \"value\": \"[[variables('dcrId')]\"\n },\n \"dcraName\": {\n \"value\": \"[[variables('dcraName')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"dcrId\": {\n \"type\": \"string\"\n },\n \"dcraName\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.HybridCompute/machines/providers/dataCollectionRuleAssociations\",\n \"name\": \"[[parameters('dcraName')]\",\n \"apiVersion\": \"2021-04-01\",\n \"properties\": {\n \"description\": \"Configure association between Arc-enabled SQL Server and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Server.\",\n \"dataCollectionRuleId\": \"[[parameters('dcrId')]\"\n }\n }\n ]\n }\n }\n }\n ]\n },\n \"parameters\": {\n \"resourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#114": "{\n \"name\": \"Deploy-MDFC-SQL-AMA\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Configure SQL Virtual Machines to automatically install Azure Monitor Agent\",\n \"description\": \"Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/f91991d1-5383-4c95-8ee5-5ac423dd8bb1.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"f91991d1-5383-4c95-8ee5-5ac423dd8bb1\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"identityResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Identity Resource Group\",\n \"description\": \"The name of the resource group created by the policy.\"\n },\n \"defaultValue\": \"\"\n },\n \"userAssignedIdentityName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User Assigned Managed Identity Name\",\n \"description\": \"The name of the user assigned managed identity.\"\n },\n \"defaultValue\": \"\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\n \"like\": \"Windows*\"\n },\n {\n \"field\": \"Microsoft.Compute/imagePublisher\",\n \"equals\": \"microsoftsqlserver\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"evaluationDelay\": \"AfterProvisioning\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"\n ],\n \"name\": \"[[concat(field('fullName'), '/AzureMonitorWindowsAgent')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/type\",\n \"equals\": \"AzureMonitorWindowsAgent\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/publisher\",\n \"equals\": \"Microsoft.Azure.Monitor\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\n \"in\": [\n \"Succeeded\",\n \"Provisioning succeeded\"\n ]\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"vmName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n },\n \"userAssignedManagedIdentity\": {\n \"type\": \"string\"\n },\n \"userAssignedIdentityName\": {\n \"type\": \"string\"\n },\n \"identityResourceGroup\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {\n \"extensionName\": \"AzureMonitorWindowsAgent\",\n \"extensionPublisher\": \"Microsoft.Azure.Monitor\",\n \"extensionType\": \"AzureMonitorWindowsAgent\",\n \"extensionTypeHandlerVersion\": \"1.2\"\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('vmName'), '/', variables('extensionName'))]\",\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"location\": \"[[parameters('location')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n },\n \"apiVersion\": \"2023-03-01\",\n \"properties\": {\n \"publisher\": \"[[variables('extensionPublisher')]\",\n \"type\": \"[[variables('extensionType')]\",\n \"typeHandlerVersion\": \"[[variables('extensionTypeHandlerVersion')]\",\n \"autoUpgradeMinorVersion\": true,\n \"enableAutomaticUpgrade\": true,\n \"settings\": {\n \"authentication\": {\n \"managedIdentity\": {\n \"identifier-name\": \"mi_res_id\",\n \"identifier-value\": \"[[parameters('userAssignedManagedIdentity')]\"\n }\n }\n }\n }\n }\n ]\n },\n \"parameters\": {\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"userAssignedManagedIdentity\": {\n \"value\": \"[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('userAssignedIdentityName')))]\"\n },\n \"userAssignedIdentityName\": {\n \"value\": \"[[parameters('userAssignedIdentityName')]\"\n },\n \"identityResourceGroup\": {\n \"value\": \"[[parameters('identityResourceGroup')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#115": "{\n \"name\": \"Deploy-MDFC-SQL-DefenderSQL-DCR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Configure SQL Virtual Machines to auto install Microsoft Defender for SQL and DCR with a user-defined LAW\",\n \"description\": \"Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/04754ef9-9ae3-4477-bf17-86ef50026304.html\",\n \"metadata\": {\n \"version\": \"1.0.1-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"04754ef9-9ae3-4477-bf17-86ef50026304\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace Resource Id\",\n \"description\": \"Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable collection of SQL queries for security research\",\n \"description\": \"Enable or disable the collection of SQL queries for security research.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\n \"like\": \"Windows*\"\n },\n {\n \"field\": \"Microsoft.Compute/imagePublisher\",\n \"equals\": \"microsoftsqlserver\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/dataCollectionRules\",\n \"evaluationDelay\": \"AfterProvisioning\",\n \"deploymentScope\": \"subscription\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('workspaceRegion')]\"\n },\n {\n \"field\": \"name\",\n \"equals\": \"[[parameters('dcrName')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"eastus\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceGroup\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"string\"\n },\n \"workspaceRegion\": {\n \"type\": \"string\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"bool\"\n },\n \"dcrName\": {\n \"type\": \"string\"\n },\n \"dcrResourceGroup\": {\n \"type\": \"string\"\n },\n \"dcrId\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {\n \"locationLongNameToShortMap\": {\n \"australiacentral\": \"CAU\",\n \"australiaeast\": \"EAU\",\n \"australiasoutheast\": \"SEAU\",\n \"brazilsouth\": \"CQ\",\n \"canadacentral\": \"CCA\",\n \"canadaeast\": \"CCA\",\n \"centralindia\": \"CIN\",\n \"centralus\": \"CUS\",\n \"eastasia\": \"EA\",\n \"eastus2euap\": \"eus2p\",\n \"eastus\": \"EUS\",\n \"eastus2\": \"EUS2\",\n \"francecentral\": \"PAR\",\n \"germanywestcentral\": \"DEWC\",\n \"japaneast\": \"EJP\",\n \"jioindiawest\": \"CIN\",\n \"koreacentral\": \"SE\",\n \"koreasouth\": \"SE\",\n \"northcentralus\": \"NCUS\",\n \"northeurope\": \"NEU\",\n \"norwayeast\": \"NOE\",\n \"southafricanorth\": \"JNB\",\n \"southcentralus\": \"SCUS\",\n \"southeastasia\": \"SEA\",\n \"southindia\": \"CIN\",\n \"swedencentral\": \"SEC\",\n \"switzerlandnorth\": \"CHN\",\n \"switzerlandwest\": \"CHW\",\n \"uaenorth\": \"DXB\",\n \"uksouth\": \"SUK\",\n \"ukwest\": \"WUK\",\n \"westcentralus\": \"WCUS\",\n \"westeurope\": \"WEU\",\n \"westindia\": \"CIN\",\n \"westus\": \"WUS\",\n \"westus2\": \"WUS2\"\n },\n \"locationCode\": \"[[if(contains(variables('locationLongNameToShortMap'), parameters('workspaceRegion')), variables('locationLongNameToShortMap')[parameters('workspaceRegion')], parameters('workspaceRegion'))]\",\n \"subscriptionId\": \"[[subscription().subscriptionId]\",\n \"defaultRGName\": \"[[parameters('dcrResourceGroup')]\",\n \"defaultRGLocation\": \"[[parameters('workspaceRegion')]\",\n \"dcrName\": \"[[parameters('dcrName')]\",\n \"dcrId\": \"[[parameters('dcrId')]\",\n \"dcraName\": \"[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]\",\n \"deployDataCollectionRules\": \"[[concat('deployDataCollectionRules-', uniqueString(deployment().name))]\",\n \"deployDataCollectionRulesAssociation\": \"[[concat('deployDataCollectionRulesAssociation-', uniqueString(deployment().name))]\",\n \"deployDefenderForSQL\": \"[[concat('deployDefenderForSQL-', uniqueString(deployment().name))]\"\n },\n \"resources\": [\n {\n \"condition\": \"[[empty(parameters('dcrResourceGroup'))]\",\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"name\": \"[[variables('defaultRGName')]\",\n \"apiVersion\": \"2022-09-01\",\n \"location\": \"[[variables('defaultRGLocation')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"name\": \"[[variables('deployDefenderForSQL')]\",\n \"apiVersion\": \"2022-09-01\",\n \"resourceGroup\": \"[[parameters('resourceGroup')]\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[parameters('location')]\"\n },\n \"vmName\": {\n \"value\": \"[[parameters('vmName')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"name\": \"[[concat(parameters('vmName'), '/', 'MicrosoftDefenderForSQL')]\",\n \"apiVersion\": \"2023-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n },\n \"properties\": {\n \"publisher\": \"Microsoft.Azure.AzureDefenderForSQL\",\n \"type\": \"AdvancedThreatProtection.Windows\",\n \"typeHandlerVersion\": \"2.0\",\n \"autoUpgradeMinorVersion\": true,\n \"enableAutomaticUpgrade\": true\n }\n }\n ]\n }\n }\n },\n {\n \"condition\": \"[[empty(parameters('dcrId'))]\",\n \"type\": \"Microsoft.Resources/deployments\",\n \"name\": \"[[variables('deployDataCollectionRules')]\",\n \"apiVersion\": \"2022-09-01\",\n \"resourceGroup\": \"[[variables('defaultRGName')]\",\n \"dependsOn\": [\n \"[[variables('defaultRGName')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"defaultRGLocation\": {\n \"value\": \"[[variables('defaultRGLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"dcrName\": {\n \"value\": \"[[variables('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[variables('dcrId')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"defaultRGLocation\": {\n \"type\": \"string\"\n },\n \"workspaceResourceId\": {\n \"type\": \"string\"\n },\n \"dcrName\": {\n \"type\": \"string\"\n },\n \"dcrId\": {\n \"type\": \"string\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"bool\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Insights/dataCollectionRules\",\n \"name\": \"[[parameters('dcrName')]\",\n \"apiVersion\": \"2021-04-01\",\n \"location\": \"[[parameters('defaultRGLocation')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n },\n \"properties\": {\n \"description\": \"Data collection rule for Microsoft Defender for SQL. Deleting this rule will break the detection of security vulnerabilities.\",\n \"dataSources\": {\n \"extensions\": [\n {\n \"extensionName\": \"MicrosoftDefenderForSQL\",\n \"name\": \"MicrosoftDefenderForSQL\",\n \"streams\": [\n \"Microsoft-DefenderForSqlAlerts\",\n \"Microsoft-DefenderForSqlLogins\",\n \"Microsoft-DefenderForSqlTelemetry\",\n \"Microsoft-DefenderForSqlScanEvents\",\n \"Microsoft-DefenderForSqlScanResults\"\n ],\n \"extensionSettings\": {\n \"enableCollectionOfSqlQueriesForSecurityResearch\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n }\n }\n ]\n },\n \"destinations\": {\n \"logAnalytics\": [\n {\n \"workspaceResourceId\": \"[[parameters('workspaceResourceId')]\",\n \"name\": \"LogAnalyticsDest\"\n }\n ]\n },\n \"dataFlows\": [\n {\n \"streams\": [\n \"Microsoft-DefenderForSqlAlerts\",\n \"Microsoft-DefenderForSqlLogins\",\n \"Microsoft-DefenderForSqlTelemetry\",\n \"Microsoft-DefenderForSqlScanEvents\",\n \"Microsoft-DefenderForSqlScanResults\"\n ],\n \"destinations\": [\n \"LogAnalyticsDest\"\n ]\n }\n ]\n }\n }\n ]\n }\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"name\": \"[[variables('deployDataCollectionRulesAssociation')]\",\n \"apiVersion\": \"2022-09-01\",\n \"resourceGroup\": \"[[parameters('resourceGroup')]\",\n \"dependsOn\": [\n \"[[variables('deployDataCollectionRules')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"dcrId\": {\n \"value\": \"[[variables('dcrId')]\"\n },\n \"dcraName\": {\n \"value\": \"[[variables('dcraName')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"dcrId\": {\n \"type\": \"string\"\n },\n \"dcraName\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations\",\n \"name\": \"[[parameters('dcraName')]\",\n \"apiVersion\": \"2021-04-01\",\n \"properties\": {\n \"description\": \"Configure association between SQL Virtual Machine and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this SQL Virtual Machine.\",\n \"dataCollectionRuleId\": \"[[parameters('dcrId')]\"\n }\n }\n ]\n }\n }\n }\n ]\n },\n \"parameters\": {\n \"resourceGroup\": {\n \"value\": \"[[resourceGroup().name]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#116": "{\n \"name\": \"Deploy-MDFC-SQL-DefenderSQL\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"displayName\": \"[Deprecated]: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL\",\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"description\": \"Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\n \"like\": \"Windows*\"\n },\n {\n \"field\": \"Microsoft.Compute/imagePublisher\",\n \"equals\": \"microsoftsqlserver\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"name\": \"[[concat(field('fullName'), '/MicrosoftDefenderForSQL')]\",\n \"evaluationDelay\": \"AfterProvisioning\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/type\",\n \"equals\": \"AdvancedThreatProtection.Windows\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/publisher\",\n \"equals\": \"Microsoft.Azure.AzureDefenderForSQL\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\n \"in\": [\n \"Succeeded\",\n \"Provisioning succeeded\"\n ]\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n },\n \"workspaceRegion\": {\n \"type\": \"string\"\n },\n \"dcrResourceGroup\": {\n \"type\": \"string\"\n },\n \"dcrName\": {\n \"type\": \"string\"\n },\n \"dcrId\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {\n \"locationLongNameToShortMap\": {\n \"australiacentral\": \"CAU\",\n \"australiaeast\": \"EAU\",\n \"australiasoutheast\": \"SEAU\",\n \"brazilsouth\": \"CQ\",\n \"canadacentral\": \"CCA\",\n \"canadaeast\": \"CCA\",\n \"centralindia\": \"CIN\",\n \"centralus\": \"CUS\",\n \"eastasia\": \"EA\",\n \"eastus2euap\": \"eus2p\",\n \"eastus\": \"EUS\",\n \"eastus2\": \"EUS2\",\n \"francecentral\": \"PAR\",\n \"germanywestcentral\": \"DEWC\",\n \"japaneast\": \"EJP\",\n \"jioindiawest\": \"CIN\",\n \"koreacentral\": \"SE\",\n \"koreasouth\": \"SE\",\n \"northcentralus\": \"NCUS\",\n \"northeurope\": \"NEU\",\n \"norwayeast\": \"NOE\",\n \"southafricanorth\": \"JNB\",\n \"southcentralus\": \"SCUS\",\n \"southeastasia\": \"SEA\",\n \"southindia\": \"CIN\",\n \"swedencentral\": \"SEC\",\n \"switzerlandnorth\": \"CHN\",\n \"switzerlandwest\": \"CHW\",\n \"uaenorth\": \"DXB\",\n \"uksouth\": \"SUK\",\n \"ukwest\": \"WUK\",\n \"westcentralus\": \"WCUS\",\n \"westeurope\": \"WEU\",\n \"westindia\": \"CIN\",\n \"westus\": \"WUS\",\n \"westus2\": \"WUS2\"\n },\n \"actualLocation\": \"[[if(empty(parameters('workspaceRegion')), parameters('location'), parameters('workspaceRegion'))]\",\n \"locationCode\": \"[[if(contains(variables('locationLongNameToShortMap'), variables('actualLocation')), variables('locationLongNameToShortMap')[variables('actualLocation')], variables('actualLocation'))]\",\n \"subscriptionId\": \"[[subscription().subscriptionId]\",\n \"defaultRGName\": \"[[parameters('dcrResourceGroup')]\",\n \"dcrName\": \"[[parameters('dcrName')]\",\n \"dcrId\": \"[[parameters('dcrId')]\",\n \"dcraName\": \"[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]\"\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"name\": \"[[concat(parameters('vmName'), '/', 'MicrosoftDefenderForSQL')]\",\n \"apiVersion\": \"2023-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n },\n \"properties\": {\n \"publisher\": \"Microsoft.Azure.AzureDefenderForSQL\",\n \"type\": \"AdvancedThreatProtection.Windows\",\n \"typeHandlerVersion\": \"2.0\",\n \"autoUpgradeMinorVersion\": true,\n \"enableAutomaticUpgrade\": true\n },\n \"dependsOn\": [\n \"[[extensionResourceId(concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Compute/virtualMachines/', parameters('vmName')), 'Microsoft.Insights/dataCollectionRuleAssociations','MicrosoftDefenderForSQL-RulesAssociation')]\"\n ]\n },\n {\n \"type\": \"Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations\",\n \"name\": \"[[variables('dcraName')]\",\n \"apiVersion\": \"2021-04-01\",\n \"properties\": {\n \"description\": \"Configure association between SQL Virtual Machine and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this SQL Virtual Machine.\",\n \"dataCollectionRuleId\": \"[[variables('dcrId')]\"\n }\n }\n ]\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#117": "{\n \"name\": \"Deny-APIM-TLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"API Management services should use TLS version 1.2\",\n \"description\": \"Azure API Management service should use TLS version 1.2\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"API Management\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.ApiManagement/service\"\n },\n {\n \"anyOf\": [\n {\n \"value\": \"[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\\\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls10\\\":\\\"true\\\"')]\",\n \"greater\": 0\n },\n {\n \"value\": \"[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\\\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls10\\\":true')]\",\n \"greater\": 0\n },\n {\n \"value\": \"[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\\\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls11\\\":\\\"true\\\"')]\",\n \"greater\": 0\n },\n {\n \"value\": \"[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\\\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls11\\\":true')]\",\n \"greater\": 0\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#118": "{\n \"name\": \"Deny-AppGw-Without-Tls\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Application Gateway should be deployed with predefined Microsoft policy that is using TLS version 1.2\",\n \"description\": \"This policy enables you to restrict that Application Gateways is always deployed with predefined Microsoft policy that is using TLS version 1.2\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"predefinedPolicyName\": {\n \"type\": \"array\",\n \"metadata\": {\n \"displayName\": \"Predefined policy name\",\n \"description\": \"Predefined policy name\"\n },\n \"defaultValue\": [\n \"AppGwSslPolicy20220101\",\n \"AppGwSslPolicy20170401S\",\n \"AppGwSslPolicy20220101S\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/applicationGateways\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/applicationGateways/sslPolicy.policyType\",\n \"notEquals\": \"Predefined\"\n },\n {\n \"field\": \"Microsoft.Network/applicationGateways/sslPolicy.policyType\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Network/applicationGateways/sslPolicy.policyName\",\n \"notIn\": \"[[parameters('predefinedPolicyName')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#119": "{\n \"name\": \"Deny-AppService-without-BYOC\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"App Service certificates must be stored in Key Vault\",\n \"description\": \"App Service (including Logic apps and Function apps) must use certificates stored in Key Vault\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/certificates\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Web/certificates/keyVaultId\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Web/certificates/keyVaultSecretName\",\n \"exists\": \"false\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#12": "{\n \"name\": \"Deny-AppServiceWebApp-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"like\": \"app*\"\n },\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"equals\": \"false\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#120": "{\n \"name\": \"Deny-AzFw-Without-Policy\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Azure Firewall should have a default Firewall Policy\",\n \"description\": \"This policy denies the creation of Azure Firewall without a default Firewall Policy.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/azureFirewalls\"\n },\n {\n \"field\": \"Microsoft.Network/azureFirewalls/firewallPolicy.id\",\n \"exists\": \"false\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#121": "{\n \"name\": \"Deny-CognitiveServices-NetworkAcls\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Network ACLs should be restricted for Cognitive Services\",\n \"description\": \"Azure Cognitive Services should not allow adding individual IPs or virtual network rules to the service-level firewall. Enable this to restrict inbound network access and enforce the usage of private endpoints.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.CognitiveServices/accounts\"\n },\n {\n \"anyOf\": [\n {\n \"count\": {\n \"field\": \"Microsoft.CognitiveServices/accounts/networkAcls.ipRules[*]\"\n },\n \"greater\": 0\n },\n {\n \"count\": {\n \"field\": \"Microsoft.CognitiveServices/accounts/networkAcls.virtualNetworkRules[*]\"\n },\n \"greater\": 0\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#122": "{\n \"name\": \"Deny-CognitiveServices-Resource-Kinds\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Only explicit kinds for Cognitive Services should be allowed\",\n \"description\": \"Azure Cognitive Services should only create explicit allowed kinds.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"allowedKinds\": {\n \"type\": \"array\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Select the allowed resource kinds to be used with Cognitive Services\"\n },\n \"allowedValues\": [\n \"AnomalyDetector\",\n \"ComputerVision\",\n \"CognitiveServices\",\n \"ContentModerator\",\n \"CustomVision.Training\",\n \"CustomVision.Prediction\",\n \"Face\",\n \"FormRecognizer\",\n \"ImmersiveReader\",\n \"LUIS\",\n \"Personalizer\",\n \"SpeechServices\",\n \"TextAnalytics\",\n \"TextTranslation\",\n \"OpenAI\"\n ],\n \"defaultValue\": [\n \"AnomalyDetector\",\n \"ComputerVision\",\n \"CognitiveServices\",\n \"ContentModerator\",\n \"CustomVision.Training\",\n \"CustomVision.Prediction\",\n \"Face\",\n \"FormRecognizer\",\n \"ImmersiveReader\",\n \"LUIS\",\n \"Personalizer\",\n \"SpeechServices\",\n \"TextAnalytics\",\n \"TextTranslation\",\n \"OpenAI\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.CognitiveServices/accounts\"\n },\n {\n \"field\": \"kind\",\n \"notIn\": \"[[parameters('allowedKinds')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#123": "{\n \"name\": \"Deny-CognitiveServices-RestrictOutboundNetworkAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Outbound network access should be restricted for Cognitive Services\",\n \"description\": \"Azure Cognitive Services allow restricting outbound network access. Enable this to limit outbound connectivity for the service.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.CognitiveServices/accounts\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.CognitiveServices/accounts/restrictOutboundNetworkAccess\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.CognitiveServices/accounts/restrictOutboundNetworkAccess\",\n \"notEquals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#124": "{\n \"name\": \"Deny-EH-minTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Event Hub namespaces should use a valid TLS version\",\n \"description\": \"Event Hub namespaces should use a valid TLS version.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Event Hub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minTlsVersion\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Minimum TLS Version\",\n \"description\": \"Minimum TLS version to be used by Event Hub\"\n },\n \"defaultValue\": \"1.2\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.EventHub/namespaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.EventHub/namespaces/minimumTlsVersion\",\n \"less\": \"[[parameters('minTlsVersion')]\"\n },\n {\n \"field\": \"Microsoft.EventHub/namespaces/minimumTlsVersion\",\n \"exists\": \"false\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#125": "{\n \"name\": \"Deny-EH-Premium-CMK\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Event Hub namespaces (Premium) should use a customer-managed key for encryption\",\n \"description\": \"Event Hub namespaces (Premium) should use a customer-managed key for encryption.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Hub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.EventHub/namespaces\"\n },\n {\n \"field\": \"Microsoft.EventHub/namespaces/sku.name\",\n \"equals\": \"Premium\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.EventHub/namespaces/encryption.keySource\",\n \"equals\": \"Microsoft.Keyvault\"\n }\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#126": "{\n \"name\": \"Deny-LogicApp-Public-Network\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Logic apps should disable public network access\",\n \"description\": \"Disabling public network access improves security by ensuring that the Logic App is not exposed on the public internet. Creating private endpoints can limit exposure of a Logic App. Learn more at: https://aka.ms/app-service-private-endpoint.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Logic Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"contains\": \"workflowapp\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Web/sites/publicNetworkAccess\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Web/sites/publicNetworkAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#127": "{\n \"name\": \"Deny-LogicApps-Without-Https\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Logic app should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Logic Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"contains\": \"workflowapp\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"equals\": \"false\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#128": "{\n \"name\": \"Deny-Service-Endpoints\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deny or Audit service endpoints on subnets\",\n \"description\": \"This Policy will deny/audit Service Endpoints on subnets. Service Endpoints allows the network traffic to bypass Network appliances, such as the Azure Firewall.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks/subnets\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets/serviceEndpoints[*]\",\n \"where\": {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets/serviceEndpoints[*].service\",\n \"exists\": true\n }\n },\n \"greater\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#129": "{\n \"name\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Storage Accounts should use a container delete retention policy\",\n \"description\": \"Enforce container delete retention policies larger than seven days for storage account. Enable this for increased data loss protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Minimum Container Delete Retention in Days\",\n \"description\": \"Specifies the minimum number of days for the container delete retention policy\"\n },\n \"defaultValue\": 7\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/blobServices\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.enabled\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.enabled\",\n \"notEquals\": true\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.days\",\n \"less\": \"[[parameters('minContainerDeleteRetentionInDays')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#13": "{\n \"name\": \"Deny-MySql-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"MySQL database servers enforce SSL connections.\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMySQL/servers\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DBforMySQL/servers/sslEnforcement\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/sslEnforcement\",\n \"notEquals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/minimalTlsVersion\",\n \"less\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#130": "{\n \"name\": \"Deny-Storage-CopyScope\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Allowed Copy scope should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should restrict the allowed copy scope. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"allowedCopyScope\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Allowed Copy Scope\",\n \"description\": \"Specify the allowed copy scope.\"\n },\n \"allowedValues\": [\n \"AAD\",\n \"PrivateLink\"\n ],\n \"defaultValue\": \"AAD\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/allowedCopyScope\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/allowedCopyScope\",\n \"notEquals\": \"[[parameters('allowedCopyScope')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#131": "{\n \"name\": \"Deny-Storage-CorsRules\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Storage Accounts should restrict CORS rules\",\n \"description\": \"Deny CORS rules for storage account for increased data exfiltration protection and endpoint protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/blobServices\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/blobServices/cors.corsRules[*]\"\n },\n \"greater\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/fileServices\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/fileServices/cors.corsRules[*]\"\n },\n \"greater\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/tableServices\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/tableServices/cors.corsRules[*]\"\n },\n \"greater\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/queueServices\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/queueServices/cors.corsRules[*]\"\n },\n \"greater\": 0\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#132": "{\n \"name\": \"Deny-Storage-LocalUser\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Local users should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should disable local users for features like SFTP. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/isLocalUserEnabled\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/isLocalUserEnabled\",\n \"notEquals\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#133": "{\n \"name\": \"Deny-Storage-NetworkAclsBypass\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Network ACL bypass option should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should restrict the bypass option for service-level network ACLs. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"allowedBypassOptions\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Allowed Bypass Options\",\n \"description\": \"Specifies which options are allowed to bypass the vnet configuration\"\n },\n \"allowedValues\": [\n \"None\",\n \"Logging\",\n \"Metrics\",\n \"AzureServices\",\n \"Logging, Metrics\",\n \"Logging, AzureServices\",\n \"Metrics, AzureServices\",\n \"Logging, Metrics, AzureServices\",\n \"Logging, Metrics, AzureServices\"\n ],\n \"defaultValue\": [\n \"Logging\",\n \"Metrics\",\n \"AzureServices\",\n \"Logging, Metrics\",\n \"Logging, AzureServices\",\n \"Metrics, AzureServices\",\n \"Logging, Metrics, AzureServices\",\n \"Logging, Metrics, AzureServices\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.bypass\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.bypass\",\n \"notIn\": \"[[parameters('allowedBypassOptions')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#134": "{\n \"name\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Virtual network rules should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should restrict the virtual network service-level network ACLs. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.virtualNetworkRules[*]\"\n },\n \"greater\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#135": "{\n \"name\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Resource Access Rules resource IDs should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should restrict the resource access rule for service-level network ACLs to services from a specific Azure subscription. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]\"\n },\n \"greater\": 0\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]\",\n \"where\": {\n \"value\": \"[[split(current('Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*].resourceId'), '/')[2]]\",\n \"equals\": \"*\"\n }\n },\n \"greater\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#136": "{\n \"name\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Resource Access Rules Tenants should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should restrict the resource access rule for service-level network ACLs to service from the same AAD tenant. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]\"\n },\n \"greater\": 0\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*].tenantId\",\n \"notEquals\": \"[[subscription().tenantId]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#137": "{\n \"name\": \"Deny-Storage-ServicesEncryption\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Encryption for storage services should be enforced for Storage Accounts\",\n \"description\": \"Azure Storage accounts should enforce encryption for all storage services. Enforce this for increased encryption scope.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.blob.enabled\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.blob.enabled\",\n \"notEquals\": true\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.file.enabled\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.file.enabled\",\n \"notEquals\": true\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.queue.keyType\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.queue.keyType\",\n \"notEquals\": \"Account\"\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.table.keyType\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.table.keyType\",\n \"notEquals\": \"Account\"\n }\n ]\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#138": "{\n \"name\": \"Deploy-LogicApp-TLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Configure Logic apps to use the latest TLS version\",\n \"description\": \"Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Logic Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"contains\": \"workflowapp\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"web\",\n \"existenceCondition\": {\n \"field\": \"Microsoft.Web/sites/config/minTlsVersion\",\n \"equals\": \"1.2\"\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"siteName\": {\n \"value\": \"[[field('name')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"siteName\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Web/sites/config\",\n \"apiVersion\": \"2021-02-01\",\n \"name\": \"[[concat(parameters('siteName'), '/web')]\",\n \"properties\": {\n \"minTlsVersion\": \"1.2\"\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#139": "{\n \"name\": \"Modify-NSG\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Enforce specific configuration of Network Security Groups (NSG)\",\n \"description\": \"This policy enforces the configuration of Network Security Groups (NSG).\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Modify\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"nsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"nsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"nsgRuleDirection\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Inbound\",\n \"Outbound\"\n ],\n \"defaultValue\": \"Outbound\"\n },\n \"nsgRuleAccess\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Allow\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"nsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*]\"\n },\n \"equals\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"conflictEffect\": \"audit\",\n \"operations\": [\n {\n \"operation\": \"add\",\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*]\",\n \"value\": {\n \"name\": \"[[parameters('nsgRuleName')]\",\n \"properties\": {\n \"description\": \"[[parameters('nsgRuleDescription')]\",\n \"protocol\": \"[[parameters('nsgRuleProtocol')]\",\n \"sourcePortRange\": \"[[parameters('nsgRuleSourcePortRange')]\",\n \"destinationPortRange\": \"[[parameters('nsgRuleDestinationPortRange')]\",\n \"sourceAddressPrefix\": \"[[parameters('nsgRuleSourceAddressPrefix')]\",\n \"destinationAddressPrefix\": \"[[parameters('nsgRuleDestinationAddressPrefix')]\",\n \"access\": \"[[parameters('nsgRuleAccess')]\",\n \"priority\": \"[[parameters('nsgRulePriority')]\",\n \"direction\": \"[[parameters('nsgRuleDirection')]\"\n }\n }\n }\n ]\n }\n }\n }\n }\n}", - "$fxv#14": "{\n \"name\": \"Deny-PostgreSql-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"PostgreSQL database servers enforce SSL connection.\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version minimum TLS for PostgreSQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for PostgreSQL server to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"notEquals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\n \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#140": "{\n \"name\": \"Modify-UDR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Enforce specific configuration of User-Defined Routes (UDR)\",\n \"description\": \"This policy enforces the configuration of User-Defined Routes (UDR) within a subnet.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Modify\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"addressPrefix\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The destination IP address range in CIDR notation that this Policy checks for within the UDR. Example: 0.0.0.0/0 to check for the presence of a default route.\",\n \"displayName\": \"Address Prefix\"\n }\n },\n \"nextHopType\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The next hope type that the policy checks for within the inspected route. The value can be Virtual Network, Virtual Network Gateway, Internet, Virtual Appliance, or None.\",\n \"displayName\": \"Next Hop Type\"\n },\n \"allowedValues\": [\n \"VnetLocal\",\n \"VirtualNetworkGateway\",\n \"Internet\",\n \"VirtualAppliance\",\n \"None\"\n ]\n },\n \"nextHopIpAddress\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The IP address packets should be forwarded to.\",\n \"displayName\": \"Next Hop IP Address\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/routeTables\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/routeTables/routes[*]\"\n },\n \"equals\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"conflictEffect\": \"audit\",\n \"operations\": [\n {\n \"operation\": \"add\",\n \"field\": \"Microsoft.Network/routeTables/routes[*]\",\n \"value\": {\n \"name\": \"default\",\n \"properties\": {\n \"addressPrefix\": \"[[parameters('addressPrefix')]\",\n \"nextHopType\": \"[[parameters('nextHopType')]\",\n \"nextHopIpAddress\": \"[[parameters('nextHopIpAddress')]\"\n }\n }\n }\n ]\n }\n }\n }\n }\n}", - "$fxv#141": "{\n \"name\": \"Deploy-Private-DNS-Generic\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy-Private-DNS-Generic\",\n \"description\": \"Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Networking\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \t\"AzureChinaCloud\",\n \t\t\"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone ID for PaaS services\",\n \"description\": \"The private DNS zone name required for specific PaaS Services to resolve a private DNS Zone.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"assignPermissions\": true\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS private endpoint resource type\",\n \"description\": \"The PaaS endpoint resource type.\"\n }\n },\n \"groupId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS Private endpoint group ID (subresource)\",\n \"description\": \"The group ID of the PaaS private endpoint. Also referred to as subresource.\"\n }\n },\n \"evaluationDelay\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Evaluation Delay\",\n \"description\": \"The delay in evaluation of the policy. Review delay options at https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists\"\n },\n \"defaultValue\": \"PT10M\"\n },\n \"location\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Location (Specify the Private Endpoint location)\",\n \"description\": \"Specify the Private Endpoint location\",\n \"strongType\": \"location\"\n },\n \"defaultValue\": \"northeurope\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('location')]\"\n },\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId\",\n \"contains\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"[[parameters('groupId')]\"\n }\n ]\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"evaluationDelay\": \"[[parameters('evaluationDelay')]\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"PaaS-Service-Private-DNS-Zone-Config\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#142": "{\n \"name\": \"DenyAction-DeleteResources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Do not allow deletion of specified resource and resource type\",\n \"description\": \"This policy enables you to specify the resource and resource type that your organization can protect from accidentals deletion by blocking delete calls using the deny action effect.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"General\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Name\",\n \"description\": \"Provide the name of the resource that you want to protect from accidental deletion.\"\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Type\",\n \"description\": \"Provide the resource type that you want to protect from accidental deletion.\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DenyAction\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DenyAction\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"name\",\n \"like\": \"[[parameters('resourceName')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"actionNames\": [\n \"delete\"\n ]\n }\n }\n }\n }\n}\n", - "$fxv#143": "{\n \"name\": \"Audit-MachineLearning-PrivateEndpointId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Control private endpoint connections to Azure Machine Learning\",\n \"description\": \"Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status\",\n \"equals\": \"Approved\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]\",\n \"notEquals\": \"[[subscription().subscriptionId]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#144": "{\n \"name\": \"Deny-AA-child-resources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"No child resources in Automation Account\",\n \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"in\": [\n \"Microsoft.Automation/automationAccounts/runbooks\",\n \"Microsoft.Automation/automationAccounts/variables\",\n \"Microsoft.Automation/automationAccounts/modules\",\n \"Microsoft.Automation/automationAccounts/credentials\",\n \"Microsoft.Automation/automationAccounts/connections\",\n \"Microsoft.Automation/automationAccounts/certificates\"\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#145": "{\n \"name\": \"Deny-Databricks-NoPublicIp\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny public IPs for Databricks cluster\",\n \"description\": \"Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value\",\n \"notEquals\": true\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#146": "{\n \"name\": \"Deny-Databricks-Sku\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny non-premium Databricks sku\",\n \"description\": \"Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/sku.name\",\n \"notEquals\": \"premium\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#147": "{\n \"name\": \"Deny-Databricks-VirtualNetwork\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny Databricks workspaces without Vnet injection\",\n \"description\": \"Enforces the use of vnet injection for Databricks workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value\",\n \"exists\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#148": "{\n \"name\": \"Deny-MachineLearning-Aks\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny AKS cluster creation in Azure Machine Learning\",\n \"description\": \"Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AKS\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/resourceId\",\n \"exists\": false\n },\n {\n \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]\",\n \"equals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#149": "{\n \"name\": \"Deny-MachineLearning-Compute-SubnetId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances\",\n \"description\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"in\": [\n \"AmlCompute\",\n \"ComputeInstance\"\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/subnet.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]\",\n \"equals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#15": "{\n \"name\": \"Deny-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny the creation of private DNS\",\n \"description\": \"This policy denies the creation of a private DNS in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateDnsZones\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#150": "{\n \"name\": \"Deny-MachineLearning-Compute-VmSize\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances\",\n \"description\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"allowedVmSizes\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Allowed VM Sizes for Aml Compute Clusters and Instances\",\n \"description\": \"Specifies the allowed VM Sizes for Aml Compute Clusters and Instances\"\n },\n \"defaultValue\": [\n \"Standard_D1_v2\",\n \"Standard_D2_v2\",\n \"Standard_D3_v2\",\n \"Standard_D4_v2\",\n \"Standard_D11_v2\",\n \"Standard_D12_v2\",\n \"Standard_D13_v2\",\n \"Standard_D14_v2\",\n \"Standard_DS1_v2\",\n \"Standard_DS2_v2\",\n \"Standard_DS3_v2\",\n \"Standard_DS4_v2\",\n \"Standard_DS5_v2\",\n \"Standard_DS11_v2\",\n \"Standard_DS12_v2\",\n \"Standard_DS13_v2\",\n \"Standard_DS14_v2\",\n \"Standard_M8-2ms\",\n \"Standard_M8-4ms\",\n \"Standard_M8ms\",\n \"Standard_M16-4ms\",\n \"Standard_M16-8ms\",\n \"Standard_M16ms\",\n \"Standard_M32-8ms\",\n \"Standard_M32-16ms\",\n \"Standard_M32ls\",\n \"Standard_M32ms\",\n \"Standard_M32ts\",\n \"Standard_M64-16ms\",\n \"Standard_M64-32ms\",\n \"Standard_M64ls\",\n \"Standard_M64ms\",\n \"Standard_M64s\",\n \"Standard_M128-32ms\",\n \"Standard_M128-64ms\",\n \"Standard_M128ms\",\n \"Standard_M128s\",\n \"Standard_M64\",\n \"Standard_M64m\",\n \"Standard_M128\",\n \"Standard_M128m\",\n \"Standard_D1\",\n \"Standard_D2\",\n \"Standard_D3\",\n \"Standard_D4\",\n \"Standard_D11\",\n \"Standard_D12\",\n \"Standard_D13\",\n \"Standard_D14\",\n \"Standard_DS15_v2\",\n \"Standard_NV6\",\n \"Standard_NV12\",\n \"Standard_NV24\",\n \"Standard_F2s_v2\",\n \"Standard_F4s_v2\",\n \"Standard_F8s_v2\",\n \"Standard_F16s_v2\",\n \"Standard_F32s_v2\",\n \"Standard_F64s_v2\",\n \"Standard_F72s_v2\",\n \"Standard_NC6s_v3\",\n \"Standard_NC12s_v3\",\n \"Standard_NC24rs_v3\",\n \"Standard_NC24s_v3\",\n \"Standard_NC6\",\n \"Standard_NC12\",\n \"Standard_NC24\",\n \"Standard_NC24r\",\n \"Standard_ND6s\",\n \"Standard_ND12s\",\n \"Standard_ND24rs\",\n \"Standard_ND24s\",\n \"Standard_NC6s_v2\",\n \"Standard_NC12s_v2\",\n \"Standard_NC24rs_v2\",\n \"Standard_NC24s_v2\",\n \"Standard_ND40rs_v2\",\n \"Standard_NV12s_v3\",\n \"Standard_NV24s_v3\",\n \"Standard_NV48s_v3\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"in\": [\n \"AmlCompute\",\n \"ComputeInstance\"\n ]\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/vmSize\",\n \"notIn\": \"[[parameters('allowedVmSizes')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#151": "{\n \"name\": \"Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deny public access of Azure Machine Learning clusters via SSH\",\n \"description\": \"Deny public access of Azure Machine Learning clusters via SSH.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AmlCompute\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#152": "{\n \"name\": \"Deny-MachineLearning-ComputeCluster-Scale\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforce scale settings for Azure Machine Learning compute clusters\",\n \"description\": \"Enforce scale settings for Azure Machine Learning compute clusters.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"maxNodeCount\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Maximum Node Count\",\n \"description\": \"Specifies the maximum node count of AML Clusters\"\n },\n \"defaultValue\": 10\n },\n \"minNodeCount\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Minimum Node Count\",\n \"description\": \"Specifies the minimum node count of AML Clusters\"\n },\n \"defaultValue\": 0\n },\n \"maxNodeIdleTimeInSecondsBeforeScaleDown\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Maximum Node Idle Time in Seconds Before Scaledown\",\n \"description\": \"Specifies the maximum node idle time in seconds before scaledown\"\n },\n \"defaultValue\": 900\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AmlCompute\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount\",\n \"greater\": \"[[parameters('maxNodeCount')]\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount\",\n \"greater\": \"[[parameters('minNodeCount')]\"\n },\n {\n \"value\": \"[[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]\",\n \"greater\": \"[[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#153": "{\n \"name\": \"Deny-MachineLearning-HbiWorkspace\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforces high business impact Azure Machine Learning Workspaces\",\n \"description\": \"Enforces high business impact Azure Machine Learning workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n \"notEquals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#154": "{\n \"name\": \"Deny-MachineLearning-PublicAccessWhenBehindVnet\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny public access behind vnet to Azure Machine Learning workspace\",\n \"description\": \"Deny public access behind vnet to Azure Machine Learning workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n \"notEquals\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#155": "{\n \"name\": \"Deny-MachineLearning-PublicNetworkAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Azure Machine Learning should have disabled public network access\",\n \"description\": \"Denies public network access for Azure Machine Learning workspaces. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/publicNetworkAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#156": "{\n \"name\": \"Deploy-Budget\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"budgetName\": {\n \"type\": \"String\",\n \"defaultValue\": \"budget-set-by-policy\",\n \"metadata\": {\n \"description\": \"The name for the budget to be created\"\n }\n },\n \"amount\": {\n \"type\": \"String\",\n \"defaultValue\": \"1000\",\n \"metadata\": {\n \"description\": \"The total amount of cost or usage to track with the budget\"\n }\n },\n \"timeGrain\": {\n \"type\": \"String\",\n \"defaultValue\": \"Monthly\",\n \"allowedValues\": [\n \"Monthly\",\n \"Quarterly\",\n \"Annually\",\n \"BillingMonth\",\n \"BillingQuarter\",\n \"BillingAnnual\"\n ],\n \"metadata\": {\n \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n }\n },\n \"firstThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"90\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"secondThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"100\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"contactRoles\": {\n \"type\": \"Array\",\n \"defaultValue\": [\n \"Owner\",\n \"Contributor\"\n ],\n \"metadata\": {\n \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactEmails\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactGroups\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Consumption/budgets/amount\",\n \"equals\": \"[[parameters('amount')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n \"equals\": \"[[parameters('timeGrain')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/category\",\n \"equals\": \"Cost\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"budgetName\": {\n \"value\": \"[[parameters('budgetName')]\"\n },\n \"amount\": {\n \"value\": \"[[parameters('amount')]\"\n },\n \"timeGrain\": {\n \"value\": \"[[parameters('timeGrain')]\"\n },\n \"firstThreshold\": {\n \"value\": \"[[parameters('firstThreshold')]\"\n },\n \"secondThreshold\": {\n \"value\": \"[[parameters('secondThreshold')]\"\n },\n \"contactEmails\": {\n \"value\": \"[[parameters('contactEmails')]\"\n },\n \"contactRoles\": {\n \"value\": \"[[parameters('contactRoles')]\"\n },\n \"contactGroups\": {\n \"value\": \"[[parameters('contactGroups')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"budgetName\": {\n \"type\": \"String\"\n },\n \"amount\": {\n \"type\": \"String\"\n },\n \"timeGrain\": {\n \"type\": \"String\"\n },\n \"firstThreshold\": {\n \"type\": \"String\"\n },\n \"secondThreshold\": {\n \"type\": \"String\"\n },\n \"contactEmails\": {\n \"type\": \"Array\"\n },\n \"contactRoles\": {\n \"type\": \"Array\"\n },\n \"contactGroups\": {\n \"type\": \"Array\"\n },\n \"startDate\": {\n \"type\": \"String\",\n \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"[[parameters('budgetName')]\",\n \"properties\": {\n \"timePeriod\": {\n \"startDate\": \"[[parameters('startDate')]\"\n },\n \"timeGrain\": \"[[parameters('timeGrain')]\",\n \"amount\": \"[[parameters('amount')]\",\n \"category\": \"Cost\",\n \"notifications\": {\n \"NotificationForExceededBudget1\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('firstThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n },\n \"NotificationForExceededBudget2\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('secondThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n }\n }\n }\n }\n ]\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#157": "{\n \"name\": \"Deploy-Diagnostics-AVDScalingPlans\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DesktopVirtualization/scalingplans\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DesktopVirtualization/scalingplans/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Autoscale\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#158": "{\n \"name\": \"Deny-AFSPaasPublicIP\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Public network access should be disabled for Azure File Sync\",\n \"description\": \"Disabling the public endpoint allows you to restrict access to your Storage Sync Service resource to requests destined to approved private endpoints on your organization's network. There is nothing inherently insecure about allowing requests to the public endpoint, however, you may wish to disable it to meet regulatory, legal, or organizational policy requirements. You can disable the public endpoint for a Storage Sync Service by setting the incomingTrafficPolicy of the resource to AllowVirtualNetworksOnly.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.StorageSync/storageSyncServices\"\n },\n {\n \"field\": \"Microsoft.StorageSync/storageSyncServices/incomingTrafficPolicy\",\n \"notEquals\": \"AllowVirtualNetworksOnly\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#159": "{\n \"name\": \"Deny-KeyVaultPaasPublicIP\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Preview: Azure Key Vault should disable public network access\",\n \"description\": \"Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink.\",\n \"metadata\": {\n \"version\": \"2.0.0-preview\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"preview\": true,\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.KeyVault/vaults\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.KeyVault/vaults/createMode\",\n \"equals\": \"recover\"\n }\n },\n {\n \"field\": \"Microsoft.KeyVault/vaults/networkAcls.defaultAction\",\n \"notEquals\": \"Deny\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#16": "{\n \"name\": \"Deny-PublicEndpoint-MariaDB\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Public network access should be disabled for MariaDB\",\n \"description\": \"This policy denies the creation of Maria DB accounts with exposed public endpoints. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/fdccbe47-f3e3-4213-ad5d-ea459b2fa077.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMariaDB/servers\"\n },\n {\n \"field\": \"Microsoft.DBforMariaDB/servers/publicNetworkAccess\",\n \"notequals\": \"Disabled\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#160": "{\n \"name\": \"Deploy-ActivityLogs-to-LA-workspace\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Configure Azure Activity logs to stream to specified Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\",\n \"assignPermissions\": true\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n },\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"defaultValue\": \"True\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"chinaeast2\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"string\"\n },\n \"logsEnabled\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"subscriptionToLa\",\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"location\": \"Global\",\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Administrative\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Security\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ServiceHealth\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Alert\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Recommendation\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Policy\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Autoscale\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ResourceHealth\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ]\n }\n }\n }\n }\n}\n", - "$fxv#161": "{\n \"name\": \"Deploy-Default-Udr\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy a user-defined route to a VNET with specific routes.\",\n \"description\": \"Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"defaultRoute\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Default route to add into UDR\",\n \"description\": \"Policy will deploy a default route table to a vnet\"\n }\n },\n \"vnetRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"VNet Region\",\n \"description\": \"Regional VNet hub location\",\n \"strongType\": \"location\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks\"\n },\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('vnetRegion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/routeTables\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/routeTables/routes[*].nextHopIpAddress\",\n \"equals\": \"[[parameters('defaultRoute')]\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"udrName\": {\n \"value\": \"[[concat(field('name'),'-udr')]\"\n },\n \"udrLocation\": {\n \"value\": \"[[field('location')]\"\n },\n \"defaultRoute\": {\n \"value\": \"[[parameters('defaultRoute')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"udrName\": {\n \"type\": \"string\"\n },\n \"udrLocation\": {\n \"type\": \"string\"\n },\n \"defaultRoute\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/routeTables\",\n \"name\": \"[[parameters('udrName')]\",\n \"apiVersion\": \"2020-08-01\",\n \"location\": \"[[parameters('udrLocation')]\",\n \"properties\": {\n \"routes\": [\n {\n \"name\": \"AzureFirewallRoute\",\n \"properties\": {\n \"addressPrefix\": \"0.0.0.0/0\",\n \"nextHopType\": \"VirtualAppliance\",\n \"nextHopIpAddress\": \"[[parameters('defaultRoute')]\"\n }\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#162": "{\n \"name\": \"Deploy-MySQLCMKEffect\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"MySQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\n \"metadata\": {\n \"version\": \"1.0.4\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMySQL/servers\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.DBforMySQL/servers/keys\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.DBforMySQL/servers/keys/serverKeyType\",\n \"equals\": \"AzureKeyVault\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/keys/uri\",\n \"notEquals\": \"\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/keys/uri\",\n \"exists\": \"true\"\n }\n ]\n }\n }\n }\n }\n }\n}\n", - "$fxv#163": "{\n \"name\": \"Deploy-PostgreSQLCMKEffect\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"PostgreSQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\n \"metadata\": {\n \"version\": \"1.0.4\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.DBforPostgreSQL/servers/keys\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/serverKeyType\",\n \"equals\": \"AzureKeyVault\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/uri\",\n \"notEquals\": \"\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/uri\",\n \"exists\": \"true\"\n }\n ]\n }\n }\n }\n }\n }\n}\n", - "$fxv#164": "{\n \"name\": \"Deploy-Private-DNS-Azure-File-Sync\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Configure Azure File Sync to use private DNS zones\",\n \"description\": \"To access the private endpoint(s) for Storage Sync Service resource interfaces from a registered server, you need to configure your DNS to resolve the correct names to your private endpoint's private IP addresses. This policy creates the requisite Azure Private DNS Zone and A records for the interfaces of your Storage Sync Service private endpoint(s).\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"privateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"where\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"afs\"\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f\",\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"privatelink-afs\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#165": "{\n \"name\": \"Deploy-Private-DNS-Azure-KeyVault\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Preview: Configure Azure Key Vaults to use private DNS zones\",\n \"description\": \"Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink.\",\n \"metadata\": {\n \"version\": \"1.0.0-preview\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"preview\": true,\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone ID\",\n \"description\": \"A private DNS zone ID to connect to the private endpoint.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"assignPermissions\": true\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"where\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"vault\"\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"keyvault-privateDnsZone\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#166": "{\n \"name\": \"Deploy-Private-DNS-Azure-Web\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Configure Azure Web PubSub Service to use private DNS zones\",\n \"description\": \"Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Web PubSub service. Learn more at: https://aka.ms/awps/privatelink.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Web PubSub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone Id\",\n \"description\": \"Private DNS zone to integrate with private endpoint.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"where\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"webpubsub\"\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"privatelink-webpubsub-azure-com\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#167": "{\n \"name\": \"Deny-AA-child-resources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"No child resources in Automation Account\",\n \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"in\": [\n \"Microsoft.Automation/automationAccounts/runbooks\",\n \"Microsoft.Automation/automationAccounts/variables\",\n \"Microsoft.Automation/automationAccounts/modules\",\n \"Microsoft.Automation/automationAccounts/credentials\",\n \"Microsoft.Automation/automationAccounts/connections\",\n \"Microsoft.Automation/automationAccounts/certificates\"\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#168": "{\n \"name\": \"Deploy-Budget\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"budgetName\": {\n \"type\": \"String\",\n \"defaultValue\": \"budget-set-by-policy\",\n \"metadata\": {\n \"description\": \"The name for the budget to be created\"\n }\n },\n \"amount\": {\n \"type\": \"String\",\n \"defaultValue\": \"1000\",\n \"metadata\": {\n \"description\": \"The total amount of cost or usage to track with the budget\"\n }\n },\n \"timeGrain\": {\n \"type\": \"String\",\n \"defaultValue\": \"Monthly\",\n \"allowedValues\": [\n \"Monthly\",\n \"Quarterly\",\n \"Annually\",\n \"BillingMonth\",\n \"BillingQuarter\",\n \"BillingAnnual\"\n ],\n \"metadata\": {\n \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n }\n },\n \"firstThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"90\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"secondThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"100\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"contactRoles\": {\n \"type\": \"Array\",\n \"defaultValue\": [\n \"Owner\",\n \"Contributor\"\n ],\n \"metadata\": {\n \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactEmails\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactGroups\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Consumption/budgets/amount\",\n \"equals\": \"[[parameters('amount')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n \"equals\": \"[[parameters('timeGrain')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/category\",\n \"equals\": \"Cost\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"budgetName\": {\n \"value\": \"[[parameters('budgetName')]\"\n },\n \"amount\": {\n \"value\": \"[[parameters('amount')]\"\n },\n \"timeGrain\": {\n \"value\": \"[[parameters('timeGrain')]\"\n },\n \"firstThreshold\": {\n \"value\": \"[[parameters('firstThreshold')]\"\n },\n \"secondThreshold\": {\n \"value\": \"[[parameters('secondThreshold')]\"\n },\n \"contactEmails\": {\n \"value\": \"[[parameters('contactEmails')]\"\n },\n \"contactRoles\": {\n \"value\": \"[[parameters('contactRoles')]\"\n },\n \"contactGroups\": {\n \"value\": \"[[parameters('contactGroups')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"budgetName\": {\n \"type\": \"String\"\n },\n \"amount\": {\n \"type\": \"String\"\n },\n \"timeGrain\": {\n \"type\": \"String\"\n },\n \"firstThreshold\": {\n \"type\": \"String\"\n },\n \"secondThreshold\": {\n \"type\": \"String\"\n },\n \"contactEmails\": {\n \"type\": \"Array\"\n },\n \"contactRoles\": {\n \"type\": \"Array\"\n },\n \"contactGroups\": {\n \"type\": \"Array\"\n },\n \"startDate\": {\n \"type\": \"String\",\n \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"[[parameters('budgetName')]\",\n \"properties\": {\n \"timePeriod\": {\n \"startDate\": \"[[parameters('startDate')]\"\n },\n \"timeGrain\": \"[[parameters('timeGrain')]\",\n \"amount\": \"[[parameters('amount')]\",\n \"category\": \"Cost\",\n \"notifications\": {\n \"NotificationForExceededBudget1\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('firstThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n },\n \"NotificationForExceededBudget2\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('secondThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n }\n }\n }\n }\n ]\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#169": "{\n \"name\": \"Deploy-Default-Udr\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy a user-defined route to a VNET with specific routes.\",\n \"description\": \"Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"defaultRoute\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Default route to add into UDR\",\n \"description\": \"Policy will deploy a default route table to a vnet\"\n }\n },\n \"vnetRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"VNet Region\",\n \"description\": \"Regional VNet hub location\",\n \"strongType\": \"location\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks\"\n },\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('vnetRegion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/routeTables\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/routeTables/routes[*].nextHopIpAddress\",\n \"equals\": \"[[parameters('defaultRoute')]\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"udrName\": {\n \"value\": \"[[concat(field('name'),'-udr')]\"\n },\n \"udrLocation\": {\n \"value\": \"[[field('location')]\"\n },\n \"defaultRoute\": {\n \"value\": \"[[parameters('defaultRoute')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"udrName\": {\n \"type\": \"string\"\n },\n \"udrLocation\": {\n \"type\": \"string\"\n },\n \"defaultRoute\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/routeTables\",\n \"name\": \"[[parameters('udrName')]\",\n \"apiVersion\": \"2020-08-01\",\n \"location\": \"[[parameters('udrLocation')]\",\n \"properties\": {\n \"routes\": [\n {\n \"name\": \"AzureFirewallRoute\",\n \"properties\": {\n \"addressPrefix\": \"0.0.0.0/0\",\n \"nextHopType\": \"VirtualAppliance\",\n \"nextHopIpAddress\": \"[[parameters('defaultRoute')]\"\n }\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#17": "{\n \"name\": \"Deny-PublicIP\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Deny the creation of public IP\",\n \"description\": \"[Deprecated] This policy denies creation of Public IPs under the assigned scope. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/6c112d4e-5bc7-47ae-a041-ea2d9dccd749.html using appropriate assignment parameters.\",\n \"metadata\": {\n \"deprecated\": true,\n \"supersededBy\": \"6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/publicIPAddresses\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#18": "{\n \"name\": \"Deny-RDP-From-Internet\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"[Deprecated] RDP access from the Internet should be blocked\",\n \"description\": \"This policy denies any network security rule that allows RDP access from Internet. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html\",\n \"metadata\": {\n \"deprecated\": true,\n \"supersededBy\": \"Deny-MgmtPorts-From-Internet\",\n \"version\": \"1.0.1-deprecated\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups/securityRules\"\n },\n {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/access\",\n \"equals\": \"Allow\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/direction\",\n \"equals\": \"Inbound\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n \"equals\": \"*\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n \"equals\": \"3389\"\n },\n {\n \"value\": \"[[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389)), 'false')]\",\n \"equals\": \"true\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n \"where\": {\n \"value\": \"[[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389)) , 'false')]\",\n \"equals\": \"true\"\n }\n },\n \"greater\": 0\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n \"notEquals\": \"*\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n \"notEquals\": \"3389\"\n }\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n \"equals\": \"*\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n \"equals\": \"Internet\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n \"notEquals\": \"*\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n \"notEquals\": \"Internet\"\n }\n }\n ]\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#19": "{\n \"name\": \"Deny-MgmtPorts-From-Internet\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Management port access from the Internet should be blocked\",\n \"description\": \"This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports.\",\n \"metadata\": {\n \"version\": \"2.1.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deny-RDP-From-Internet\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ports\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups/securityRules\"\n },\n {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/access\",\n \"equals\": \"Allow\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/direction\",\n \"equals\": \"Inbound\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n \"equals\": \"*\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n \"in\": \"[[parameters('ports')]\"\n },\n {\n \"count\": {\n \"value\": \"[[parameters('ports')]\",\n \"where\": {\n \"value\": \"[[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current())),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current()))), 'false')]\",\n \"equals\": \"true\"\n }\n },\n \"greater\": 0\n },\n {\n \"count\": {\n \"value\": \"[[parameters('ports')]\",\n \"name\": \"ports\",\n \"where\": {\n \"count\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n \"where\": {\n \"value\": \"[[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'), '-'))),int(current('ports')))) , 'false')]\",\n \"equals\": \"true\"\n }\n },\n \"greater\": 0\n }\n },\n \"greater\": 0\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n \"notEquals\": \"*\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n \"notIn\": \"[[parameters('ports')]\"\n }\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n \"equals\": \"*\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n \"equals\": \"Internet\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n \"notEquals\": \"*\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n \"notEquals\": \"Internet\"\n }\n }\n ]\n }\n ]\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].access\",\n \"equals\": \"Allow\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].direction\",\n \"equals\": \"Inbound\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange\",\n \"equals\": \"*\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange\",\n \"in\": \"[[parameters('ports')]\"\n },\n {\n \"count\": {\n \"value\": \"[[parameters('ports')]\",\n \"name\": \"ports\",\n \"where\": {\n \"value\": \"[[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'), '-'))),int(current('ports')))), 'false')]\",\n \"equals\": \"true\"\n }\n },\n \"greater\": 0\n },\n {\n \"count\": {\n \"value\": \"[[parameters('ports')]\",\n \"name\": \"ports\",\n \"where\": {\n \"count\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]\",\n \"where\": {\n \"value\": \"[[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'), '-'))),int(current('ports')))) , 'false')]\",\n \"equals\": \"true\"\n }\n },\n \"greater\": 0\n }\n },\n \"greater\": 0\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]\",\n \"notEquals\": \"*\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]\",\n \"notIn\": \"[[parameters('ports')]\"\n }\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix\",\n \"equals\": \"*\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix\",\n \"equals\": \"Internet\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]\",\n \"notEquals\": \"*\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]\",\n \"notEquals\": \"Internet\"\n }\n }\n ]\n }\n ]\n }\n },\n \"greater\": 0\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#10": "{\n \"name\": \"Audit-Tags-Mandatory-Rg\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Audit for mandatory tags on resource groups\",\n \"mode\": \"Indexed\",\n \"description\": \"Audits resource groups to ensure they have required tags based on tag array.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Tags\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"mandatoryTags\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Array of mandatory tags\",\n \"description\": \"Array of mandatory tags that must be present on the resource group. The array should contain semicolon separated list of the tag names.\"\n },\n \"defaultValue\": [\n \"owner\",\n \"costcenter\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions/resourceGroups\"\n },\n {\n \"anyOf\": [\n {\n \"not\": {\n \"count\": {\n \"value\": \"[[parameters('mandatoryTags')]\",\n \"name\": \"tagcount\",\n \"where\": {\n \"field\": \"tags\",\n \"containsKey\": \"[[current('tagcount')]\"\n }\n },\n \"equals\": \"[[length(parameters('mandatoryTags'))]\"\n }\n },\n {\n \"not\": {\n \"count\": {\n \"value\": \"[[parameters('mandatoryTags')]\",\n \"name\": \"tagnullcount\",\n \"where\": {\n \"value\": \"[[resourceGroup().tags[current('tagnullcount')]]\",\n \"notMatch\": \"\"\n }\n },\n \"equals\": \"[[length(parameters('mandatoryTags'))]\"\n }\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#100": "{\n \"name\": \"Deploy-Sql-SecurityAlertPolicies\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\",\n \"metadata\": {\n \"version\": \"1.1.1\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"emailAddresses\":{\n \"type\":\"Array\",\n \"defaultValue\":[\n \"admin@contoso.com\",\n \"admin@fabrikam.com\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers/databases\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/servers/databases/securityAlertPolicies\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Sql/servers/databases/securityAlertPolicies/state\",\n \"equals\": \"Enabled\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"String\"\n },\n \"sqlServerName\": {\n \"type\": \"String\"\n },\n \"sqlServerDataBaseName\": {\n \"type\": \"String\"\n },\n \"emailAddresses\": {\n \"type\": \"Array\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\n \"type\": \"Microsoft.Sql/servers/databases/securityAlertPolicies\",\n \"apiVersion\": \"2018-06-01-preview\",\n \"properties\": {\n \"state\": \"Enabled\",\n \"disabledAlerts\": [\n \"\"\n ],\n \"emailAddresses\": \"[[parameters('emailAddresses')]\",\n \"emailAccountAdmins\": true,\n \"storageEndpoint\": null,\n \"storageAccountAccessKey\": \"\",\n \"retentionDays\": 0\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"sqlServerName\": {\n \"value\": \"[[first(split(field('fullname'),'/'))]\"\n },\n \"sqlServerDataBaseName\": {\n \"value\": \"[[field('name')]\"\n },\n \"emailAddresses\":{\n \"value\": \"[[parameters('emailAddresses')]\"\n }\n }\n }\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"\n ]\n }\n }\n }\n }\n}\n", + "$fxv#101": "{\n \"name\": \"Deploy-Sql-Tde\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Deploy SQL Database Transparent Data Encryption\",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment. Please use this policy instead https://www.azadvertizer.net/azpolicyadvertizer/86a912f6-9a06-4e26-b447-11b16ba8659f.html\",\n \"metadata\": {\n \"deprecated\": true,\n \"supersededBy\": \"86a912f6-9a06-4e26-b447-11b16ba8659f\",\n \"version\": \"1.1.1-deprecated\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"excludedDatabases\": {\n \"type\": \"Array\",\n \"metadata\":{\n \"displayName\": \"Excluded Databases\",\n \"description\": \"Array of databases that are excluded from this policy\"\n },\n \"defaultValue\": [\n \"master\",\n \"model\",\n \"tempdb\",\n \"msdb\",\n \"resource\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers/databases\"\n },\n {\n \"field\": \"name\",\n \"notIn\": \"[[parameters('excludedDatabases')]\"\n\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/servers/databases/transparentDataEncryption\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Sql/transparentDataEncryption.status\",\n \"equals\": \"Enabled\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"String\"\n },\n \"sqlServerName\": {\n \"type\": \"String\"\n },\n \"sqlServerDataBaseName\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/current')]\",\n \"type\": \"Microsoft.Sql/servers/databases/transparentDataEncryption\",\n \"apiVersion\": \"2014-04-01\",\n \"properties\": {\n \"status\": \"Enabled\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"sqlServerName\": {\n \"value\": \"[[first(split(field('fullname'),'/'))]\"\n },\n \"sqlServerDataBaseName\": {\n \"value\": \"[[field('name')]\"\n }\n }\n }\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"\n ]\n }\n }\n }\n }\n}", + "$fxv#102": "{\n \"name\": \"Deploy-Sql-vulnerabilityAssessments\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments_20230706.html\",\n \"metadata\": {\n \"version\": \"1.0.1-deprecated\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-Sql-vulnerabilityAssessments_20230706\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"type\": \"String\",\n \"metadata\": {\n \"description\": \"The email address to send alerts. For multiple emails, format in the following 'email1@contoso.com;email2@contoso.com'\",\n \"displayName\": \"The email address to send alerts. For multiple emails, format in the following 'email1@contoso.com;email2@contoso.com'\"\n }\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"type\": \"String\",\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers/databases\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails\",\n \"equals\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n {\n \"field\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.isEnabled\",\n \"equals\": true\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"String\"\n },\n \"sqlServerName\": {\n \"type\": \"String\"\n },\n \"sqlServerDataBaseName\": {\n \"type\": \"String\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"type\": \"String\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\n \"type\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments\",\n \"apiVersion\": \"2017-03-01-preview\",\n \"properties\": {\n \"storageContainerPath\": \"[[concat('https://', last( split(parameters('vulnerabilityAssessmentsStorageID') , '/') ) , '.blob.core.windows.net/vulneraabilitylogs')]\",\n \"storageAccountAccessKey\": \"[[listkeys(parameters('vulnerabilityAssessmentsStorageID'), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]\",\n \"recurringScans\": {\n \"isEnabled\": true,\n \"emailSubscriptionAdmins\": false,\n \"emails\": [\n \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n ]\n }\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"sqlServerName\": {\n \"value\": \"[[first(split(field('fullname'),'/'))]\"\n },\n \"sqlServerDataBaseName\": {\n \"value\": \"[[field('name')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n }\n }\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\",\n \"/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\"\n ]\n }\n }\n }\n }\n}\n", + "$fxv#103": "{\n \"name\": \"Deploy-Sql-vulnerabilityAssessments_20230706\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy SQL Database Vulnerability Assessments\",\n \"description\": \"Deploy SQL Database Vulnerability Assessments when it does not exist in the deployment, and save results to the storage account specified in the parameters.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-Sql-vulnerabilityAssessments\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"description\": \"The email address(es) to send alerts.\",\n \"displayName\": \"The email address(es) to send alerts.\"\n }\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"type\": \"String\",\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers/databases\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"count\": {\n \"field\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails[*]\",\n \"where\": {\n \"value\": \"current(Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails[*])\",\n \"notIn\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n }\n },\n \"greater\": 0\n },\n {\n \"field\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.isEnabled\",\n \"equals\": true\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"String\"\n },\n \"sqlServerName\": {\n \"type\": \"String\"\n },\n \"sqlServerDataBaseName\": {\n \"type\": \"String\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"type\": \"Array\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\n \"type\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments\",\n \"apiVersion\": \"2017-03-01-preview\",\n \"properties\": {\n \"storageContainerPath\": \"[[concat('https://', last( split(parameters('vulnerabilityAssessmentsStorageID') , '/') ) , '.blob.core.windows.net/vulneraabilitylogs')]\",\n \"storageAccountAccessKey\": \"[[listkeys(parameters('vulnerabilityAssessmentsStorageID'), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]\",\n \"recurringScans\": {\n \"isEnabled\": true,\n \"emailSubscriptionAdmins\": false,\n \"emails\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n }\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"sqlServerName\": {\n \"value\": \"[[first(split(field('fullname'),'/'))]\"\n },\n \"sqlServerDataBaseName\": {\n \"value\": \"[[field('name')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n }\n }\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\",\n \"/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\"\n ]\n }\n }\n }\n }\n}\n", + "$fxv#104": "{\n \"name\": \"Deploy-SqlMi-minTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"SQL managed instances deploy a specific min TLS version requirement.\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.3.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect SQL servers\",\n \"description\": \"Enable or disable the execution of the policy minimum TLS version SQL servers\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version for SQL server\",\n \"description\": \"Select version minimum TLS version SQL servers to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/managedInstances\"\n },\n {\n \"field\": \"Microsoft.Sql/managedInstances/minimalTlsVersion\",\n \"less\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/managedInstances\",\n \"evaluationDelay\": \"AfterProvisioningSuccess\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Sql/managedInstances/minimalTlsVersion\",\n \"equals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n },\n \"name\": \"current\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Sql/managedInstances\",\n \"apiVersion\": \"2020-02-02-preview\",\n \"name\": \"[[concat(parameters('resourceName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"minimalTlsVersion\": \"[[parameters('minimalTlsVersion')]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('minimalTlsVersion')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#105": "{\n \"name\": \"Deploy-Storage-sslEnforcement\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS \",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage.\",\n \"metadata\": {\n \"version\": \"1.3.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect Azure Storage\",\n \"description\": \"Enable or disable the execution of the policy minimum TLS version Azure STorage\"\n }\n },\n \"minimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select TLS version for Azure Storage server\",\n \"description\": \"Select version minimum TLS version Azure STorage to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\",\n \"notEquals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\n \"less\": \"[[parameters('minimumTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Storage/storageAccounts\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\n \"equals\": \"[[parameters('minimumTlsVersion')]\"\n }\n ]\n },\n \"name\": \"current\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"minimumTlsVersion\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Storage/storageAccounts\",\n \"apiVersion\": \"2019-06-01\",\n \"name\": \"[[concat(parameters('resourceName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"supportsHttpsTrafficOnly\": true,\n \"minimumTlsVersion\": \"[[parameters('minimumTlsVersion')]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('minimumTlsVersion')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#106": "{\n \"name\": \"Deploy-VNET-HubSpoke\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy Virtual Network with peering to the hub\",\n \"description\": \"This policy deploys virtual network and peer to the hub\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vNetName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"vNetName\",\n \"description\": \"Name of the landing zone vNet\"\n }\n },\n \"vNetRgName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"vNetRgName\",\n \"description\": \"Name of the landing zone vNet RG\"\n }\n },\n \"vNetLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"vNetLocation\",\n \"description\": \"Location for the vNet\"\n }\n },\n \"vNetCidrRange\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"vNetCidrRange\",\n \"description\": \"CIDR Range for the vNet\"\n }\n },\n \"hubResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"hubResourceId\",\n \"description\": \"Resource ID for the HUB vNet\"\n }\n },\n \"dnsServers\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"DNSServers\",\n \"description\": \"Default domain servers for the vNET.\"\n },\n \"defaultValue\": []\n },\n \"vNetPeerUseRemoteGateway\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"vNetPeerUseRemoteGateway\",\n \"description\": \"Enable gateway transit for the LZ network\"\n },\n \"defaultValue\": false\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"deployIfNotExists\",\n \"details\": {\n \"type\": \"Microsoft.Network/virtualNetworks\",\n \"name\": \"[[parameters('vNetName')]\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"resourceGroup\",\n \"ResourceGroupName\": \"[[parameters('vNetRgName')]\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"name\",\n \"like\": \"[[parameters('vNetName')]\"\n },\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('vNetLocation')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"vNetRgName\": {\n \"value\": \"[[parameters('vNetRgName')]\"\n },\n \"vNetName\": {\n \"value\": \"[[parameters('vNetName')]\"\n },\n \"vNetLocation\": {\n \"value\": \"[[parameters('vNetLocation')]\"\n },\n \"vNetCidrRange\": {\n \"value\": \"[[parameters('vNetCidrRange')]\"\n },\n \"hubResourceId\": {\n \"value\": \"[[parameters('hubResourceId')]\"\n },\n \"dnsServers\": {\n \"value\": \"[[parameters('dnsServers')]\"\n },\n \"vNetPeerUseRemoteGateway\": {\n \"value\": \"[[parameters('vNetPeerUseRemoteGateway')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"vNetRgName\": {\n \"type\": \"String\"\n },\n \"vNetName\": {\n \"type\": \"String\"\n },\n \"vNetLocation\": {\n \"type\": \"String\"\n },\n \"vNetCidrRange\": {\n \"type\": \"String\"\n },\n \"vNetPeerUseRemoteGateway\": {\n \"type\": \"bool\",\n \"defaultValue\": false\n },\n \"hubResourceId\": {\n \"type\": \"String\"\n },\n \"dnsServers\": {\n \"type\": \"Array\",\n \"defaultValue\": []\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"[[concat('alz-vnet-rg-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]\",\n \"location\": \"[[parameters('vNetLocation')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {},\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"[[parameters('vNetRgName')]\",\n \"location\": \"[[parameters('vNetLocation')]\",\n \"properties\": {}\n }\n ],\n \"outputs\": {}\n }\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"[[concat('alz-vnet-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]\",\n \"dependsOn\": [\n \"[[concat('alz-vnet-rg-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {},\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/virtualNetworks\",\n \"apiVersion\": \"2021-02-01\",\n \"name\": \"[[parameters('vNetName')]\",\n \"location\": \"[[parameters('vNetLocation')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"addressSpace\": {\n \"addressPrefixes\": [\n \"[[parameters('vNetCidrRange')]\"\n ]\n },\n \"dhcpOptions\": {\n \"dnsServers\": \"[[parameters('dnsServers')]\"\n }\n }\n },\n {\n \"type\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\",\n \"apiVersion\": \"2021-02-01\",\n \"name\": \"[[concat(parameters('vNetName'), '/peerToHub')]\",\n \"dependsOn\": [\n \"[[parameters('vNetName')]\"\n ],\n \"properties\": {\n \"remoteVirtualNetwork\": {\n \"id\": \"[[parameters('hubResourceId')]\"\n },\n \"allowVirtualNetworkAccess\": true,\n \"allowForwardedTraffic\": true,\n \"allowGatewayTransit\": false,\n \"useRemoteGateways\": \"[[parameters('vNetPeerUseRemoteGateway')]\"\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"[[concat('alz-hub-peering-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]\",\n \"subscriptionId\": \"[[split(parameters('hubResourceId'),'/')[2]]\",\n \"resourceGroup\": \"[[split(parameters('hubResourceId'),'/')[4]]\",\n \"dependsOn\": [\n \"[[parameters('vNetName')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"remoteVirtualNetwork\": {\n \"type\": \"String\",\n \"defaultValue\": false\n },\n \"hubName\": {\n \"type\": \"String\",\n \"defaultValue\": false\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\",\n \"name\": \"[[[concat(parameters('hubName'),'/',last(split(parameters('remoteVirtualNetwork'),'/')))]\",\n \"apiVersion\": \"2021-02-01\",\n \"properties\": {\n \"allowVirtualNetworkAccess\": true,\n \"allowForwardedTraffic\": true,\n \"allowGatewayTransit\": true,\n \"useRemoteGateways\": false,\n \"remoteVirtualNetwork\": {\n \"id\": \"[[[parameters('remoteVirtualNetwork')]\"\n }\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"remoteVirtualNetwork\": {\n \"value\": \"[[concat(subscription().id,'/resourceGroups/',parameters('vNetRgName'), '/providers/','Microsoft.Network/virtualNetworks/', parameters('vNetName'))]\"\n },\n \"hubName\": {\n \"value\": \"[[split(parameters('hubResourceId'),'/')[8]]\"\n }\n }\n }\n }\n ],\n \"outputs\": {}\n }\n },\n \"resourceGroup\": \"[[parameters('vNetRgName')]\"\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#107": "{\n \"name\": \"Deploy-Vm-autoShutdown\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Virtual Machine Auto Shutdown Schedule\",\n \"description\": \"Deploys an auto shutdown schedule to a virtual machine\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Compute\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"time\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Scheduled Shutdown Time\",\n \"description\": \"Daily Scheduled shutdown time. i.e. 2300 = 11:00 PM\"\n },\n \"defaultValue\": \"0000\"\n },\n \"timeZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"UTC\",\n \"metadata\": {\n \"displayName\": \"Time zone\",\n \"description\": \"The time zone ID (e.g. Pacific Standard time).\"\n }\n },\n \"EnableNotification\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"metadata\": {\n \"displayName\": \"Send Notification before auto-shutdown\",\n \"description\": \"If notifications are enabled for this schedule (i.e. Enabled, Disabled).\"\n },\n \"allowedValues\": [\n \"Disabled\",\n \"Enabled\"\n ]\n },\n \"NotificationEmailRecipient\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Email Address\",\n \"description\": \"Email address to be used for notification\"\n }\n },\n \"NotificationWebhookUrl\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Webhook URL\",\n \"description\": \"A notification will be posted to the specified webhook endpoint when the auto-shutdown is about to happen.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n \"then\": {\n \"effect\": \"deployIfNotExists\",\n \"details\": {\n \"type\": \"Microsoft.DevTestLab/schedules\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.DevTestLab/schedules/taskType\",\n \"equals\": \"ComputeVmShutdownTask\"\n },\n {\n \"field\": \"Microsoft.DevTestLab/schedules/targetResourceId\",\n \"equals\": \"[[concat(resourceGroup().id,'/providers/Microsoft.Compute/virtualMachines/',field('name'))]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"vmName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n },\n \"time\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"Daily Scheduled shutdown time. i.e. 2300 = 11:00 PM\"\n }\n },\n \"timeZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"The time zone ID (e.g. Pacific Standard time).\"\n }\n },\n \"EnableNotification\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"If notifications are enabled for this schedule (i.e. Enabled, Disabled).\"\n }\n },\n \"NotificationEmailRecipient\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"Email address to be used for notification\"\n }\n },\n \"NotificationWebhookUrl\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"A notification will be posted to the specified webhook endpoint when the auto-shutdown is about to happen.\"\n }\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat('shutdown-computevm-',parameters('vmName'))]\",\n \"type\": \"Microsoft.DevTestLab/schedules\",\n \"location\": \"[[parameters('location')]\",\n \"apiVersion\": \"2018-09-15\",\n \"properties\": {\n \"status\": \"Enabled\",\n \"taskType\": \"ComputeVmShutdownTask\",\n \"dailyRecurrence\": {\n \"time\": \"[[parameters('time')]\"\n },\n \"timeZoneId\": \"[[parameters('timeZoneId')]\",\n \"notificationSettings\": {\n \"status\": \"[[parameters('EnableNotification')]\",\n \"timeInMinutes\": 30,\n \"webhookUrl\": \"[[parameters('NotificationWebhookUrl')]\",\n \"emailRecipient\": \"[[parameters('NotificationEmailRecipient')]\",\n \"notificationLocale\": \"en\"\n },\n \"targetResourceId\": \"[[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"time\": {\n \"value\": \"[[parameters('time')]\"\n },\n \"timeZoneId\": {\n \"value\": \"[[parameters('timeZoneId')]\"\n },\n \"EnableNotification\": {\n \"value\": \"[[parameters('EnableNotification')]\"\n },\n \"NotificationEmailRecipient\": {\n \"value\": \"[[parameters('NotificationEmailRecipient')]\"\n },\n \"NotificationWebhookUrl\": {\n \"value\": \"[[parameters('NotificationWebhookUrl')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#108": "{\n \"name\": \"Deploy-Windows-DomainJoin\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy Windows Domain Join Extension with keyvault configuration\",\n \"description\": \"Deploy Windows Domain Join Extension with keyvault configuration when the extension does not exist on a given windows Virtual Machine\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Guest Configuration\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"domainUsername\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"domainUsername\"\n }\n },\n \"domainPassword\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"domainPassword\"\n }\n },\n \"domainFQDN\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"domainFQDN\"\n }\n },\n \"domainOUPath\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"domainOUPath\"\n }\n },\n \"keyVaultResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"keyVaultResourceId\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n {\n \"field\": \"Microsoft.Compute/imagePublisher\",\n \"equals\": \"MicrosoftWindowsServer\"\n },\n {\n \"field\": \"Microsoft.Compute/imageOffer\",\n \"equals\": \"WindowsServer\"\n },\n {\n \"field\": \"Microsoft.Compute/imageSKU\",\n \"in\": [\n \"2008-R2-SP1\",\n \"2008-R2-SP1-smalldisk\",\n \"2008-R2-SP1-zhcn\",\n \"2012-Datacenter\",\n \"2012-datacenter-gensecond\",\n \"2012-Datacenter-smalldisk\",\n \"2012-datacenter-smalldisk-g2\",\n \"2012-Datacenter-zhcn\",\n \"2012-datacenter-zhcn-g2\",\n \"2012-R2-Datacenter\",\n \"2012-r2-datacenter-gensecond\",\n \"2012-R2-Datacenter-smalldisk\",\n \"2012-r2-datacenter-smalldisk-g2\",\n \"2012-R2-Datacenter-zhcn\",\n \"2012-r2-datacenter-zhcn-g2\",\n \"2016-Datacenter\",\n \"2016-datacenter-gensecond\",\n \"2016-datacenter-gs\",\n \"2016-Datacenter-Server-Core\",\n \"2016-datacenter-server-core-g2\",\n \"2016-Datacenter-Server-Core-smalldisk\",\n \"2016-datacenter-server-core-smalldisk-g2\",\n \"2016-Datacenter-smalldisk\",\n \"2016-datacenter-smalldisk-g2\",\n \"2016-Datacenter-with-Containers\",\n \"2016-datacenter-with-containers-g2\",\n \"2016-Datacenter-with-RDSH\",\n \"2016-Datacenter-zhcn\",\n \"2016-datacenter-zhcn-g2\",\n \"2019-Datacenter\",\n \"2019-Datacenter-Core\",\n \"2019-datacenter-core-g2\",\n \"2019-Datacenter-Core-smalldisk\",\n \"2019-datacenter-core-smalldisk-g2\",\n \"2019-Datacenter-Core-with-Containers\",\n \"2019-datacenter-core-with-containers-g2\",\n \"2019-Datacenter-Core-with-Containers-smalldisk\",\n \"2019-datacenter-core-with-containers-smalldisk-g2\",\n \"2019-datacenter-gensecond\",\n \"2019-datacenter-gs\",\n \"2019-Datacenter-smalldisk\",\n \"2019-datacenter-smalldisk-g2\",\n \"2019-Datacenter-with-Containers\",\n \"2019-datacenter-with-containers-g2\",\n \"2019-Datacenter-with-Containers-smalldisk\",\n \"2019-datacenter-with-containers-smalldisk-g2\",\n \"2019-Datacenter-zhcn\",\n \"2019-datacenter-zhcn-g2\",\n \"Datacenter-Core-1803-with-Containers-smalldisk\",\n \"datacenter-core-1803-with-containers-smalldisk-g2\",\n \"Datacenter-Core-1809-with-Containers-smalldisk\",\n \"datacenter-core-1809-with-containers-smalldisk-g2\",\n \"Datacenter-Core-1903-with-Containers-smalldisk\",\n \"datacenter-core-1903-with-containers-smalldisk-g2\",\n \"datacenter-core-1909-with-containers-smalldisk\",\n \"datacenter-core-1909-with-containers-smalldisk-g1\",\n \"datacenter-core-1909-with-containers-smalldisk-g2\"\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/type\",\n \"equals\": \"JsonADDomainExtension\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/publisher\",\n \"equals\": \"Microsoft.Compute\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"domainUsername\": {\n \"reference\": {\n \"keyVault\": {\n \"id\": \"[[parameters('keyVaultResourceId')]\"\n },\n \"secretName\": \"[[parameters('domainUsername')]\"\n }\n },\n \"domainPassword\": {\n \"reference\": {\n \"keyVault\": {\n \"id\": \"[[parameters('keyVaultResourceId')]\"\n },\n \"secretName\": \"[[parameters('domainPassword')]\"\n }\n },\n \"domainOUPath\": {\n \"value\": \"[[parameters('domainOUPath')]\"\n },\n \"domainFQDN\": {\n \"value\": \"[[parameters('domainFQDN')]\"\n },\n \"keyVaultResourceId\": {\n \"value\": \"[[parameters('keyVaultResourceId')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"vmName\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"domainUsername\": {\n \"type\": \"String\"\n },\n \"domainPassword\": {\n \"type\": \"securestring\"\n },\n \"domainFQDN\": {\n \"type\": \"String\"\n },\n \"domainOUPath\": {\n \"type\": \"String\"\n },\n \"keyVaultResourceId\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {\n \"domainJoinOptions\": 3,\n \"vmName\": \"[[parameters('vmName')]\"\n },\n \"resources\": [\n {\n \"apiVersion\": \"2015-06-15\",\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"name\": \"[[concat(variables('vmName'),'/joindomain')]\",\n \"location\": \"[[resourceGroup().location]\",\n \"properties\": {\n \"publisher\": \"Microsoft.Compute\",\n \"type\": \"JsonADDomainExtension\",\n \"typeHandlerVersion\": \"1.3\",\n \"autoUpgradeMinorVersion\": true,\n \"settings\": {\n \"Name\": \"[[parameters('domainFQDN')]\",\n \"User\": \"[[parameters('domainUserName')]\",\n \"Restart\": \"true\",\n \"Options\": \"[[variables('domainJoinOptions')]\",\n \"OUPath\": \"[[parameters('domainOUPath')]\"\n },\n \"protectedSettings\": {\n \"Password\": \"[[parameters('domainPassword')]\"\n }\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#109": "{\n \"name\": \"Deploy-Diagnostics-VWanS2SVPNGW\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for VWAN S2S VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN Gateway to stream to a Log Analytics workspace when any VWAN S2S VPN Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/vpnGateways\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/vpnGateways/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"GatewayDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"IKEDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"RouteDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"TunnelDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#11": "{\n \"name\": \"Deny-AppGW-Without-WAF\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Application Gateway should be deployed with WAF enabled\",\n \"description\": \"This policy enables you to restrict that Application Gateways is always deployed with WAF enabled\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/applicationGateways\"\n },\n {\n \"field\": \"Microsoft.Network/applicationGateways/sku.name\",\n \"notequals\": \"WAF_v2\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#110": "{\n \"name\": \"Audit-PrivateLinkDnsZones\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null, \n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Audit or Deny the creation of Private Link Private DNS Zones\",\n \"description\": \"This policy audits or denies, depending on assignment effect, the creation of a Private Link Private DNS Zones in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription\",\n \"metadata\": {\n \"version\": \"1.0.2\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"privateLinkDnsZones\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Private Link Private DNS Zones\",\n \"description\": \"An array of Private Link Private DNS Zones to check for the existence of in the assigned scope.\"\n },\n \"defaultValue\": [\n \"privatelink.adf.azure.com\",\n \"privatelink.afs.azure.net\",\n \"privatelink.agentsvc.azure-automation.net\",\n \"privatelink.analysis.windows.net\",\n \"privatelink.api.azureml.ms\",\n \"privatelink.azconfig.io\",\n \"privatelink.azure-api.net\",\n \"privatelink.azure-automation.net\",\n \"privatelink.azurecr.io\",\n \"privatelink.azure-devices.net\",\n \"privatelink.azure-devices-provisioning.net\",\n \"privatelink.azuredatabricks.net\",\n \"privatelink.azurehdinsight.net\",\n \"privatelink.azurehealthcareapis.com\",\n \"privatelink.azurestaticapps.net\",\n \"privatelink.azuresynapse.net\",\n \"privatelink.azurewebsites.net\",\n \"privatelink.batch.azure.com\",\n \"privatelink.blob.core.windows.net\",\n \"privatelink.cassandra.cosmos.azure.com\",\n \"privatelink.cognitiveservices.azure.com\",\n \"privatelink.database.windows.net\",\n \"privatelink.datafactory.azure.net\",\n \"privatelink.dev.azuresynapse.net\",\n \"privatelink.dfs.core.windows.net\",\n \"privatelink.dicom.azurehealthcareapis.com\",\n \"privatelink.digitaltwins.azure.net\",\n \"privatelink.directline.botframework.com\",\n \"privatelink.documents.azure.com\",\n \"privatelink.eventgrid.azure.net\",\n \"privatelink.file.core.windows.net\",\n \"privatelink.gremlin.cosmos.azure.com\",\n \"privatelink.guestconfiguration.azure.com\",\n \"privatelink.his.arc.azure.com\",\n \"privatelink.kubernetesconfiguration.azure.com\",\n \"privatelink.managedhsm.azure.net\",\n \"privatelink.mariadb.database.azure.com\",\n \"privatelink.media.azure.net\",\n \"privatelink.mongo.cosmos.azure.com\",\n \"privatelink.monitor.azure.com\",\n \"privatelink.mysql.database.azure.com\",\n \"privatelink.notebooks.azure.net\",\n \"privatelink.ods.opinsights.azure.com\",\n \"privatelink.oms.opinsights.azure.com\",\n \"privatelink.pbidedicated.windows.net\",\n \"privatelink.postgres.database.azure.com\",\n \"privatelink.prod.migration.windowsazure.com\",\n \"privatelink.purview.azure.com\",\n \"privatelink.purviewstudio.azure.com\",\n \"privatelink.queue.core.windows.net\",\n \"privatelink.redis.cache.windows.net\",\n \"privatelink.redisenterprise.cache.azure.net\",\n \"privatelink.search.windows.net\",\n \"privatelink.service.signalr.net\",\n \"privatelink.servicebus.windows.net\",\n \"privatelink.siterecovery.windowsazure.com\",\n \"privatelink.sql.azuresynapse.net\",\n \"privatelink.table.core.windows.net\",\n \"privatelink.table.cosmos.azure.com\",\n \"privatelink.tip1.powerquery.microsoft.com\",\n \"privatelink.token.botframework.com\",\n \"privatelink.vaultcore.azure.net\",\n \"privatelink.web.core.windows.net\",\n \"privatelink.webpubsub.azure.com\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateDnsZones\"\n },\n {\n \"field\": \"name\",\n \"in\": \"[[parameters('privateLinkDnsZones')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#111": "{\n \"name\": \"DenyAction-DiagnosticLogs\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"DenyAction implementation on Diagnostic Logs.\",\n \"description\": \"DenyAction implementation on Diagnostic Logs.\",\n \"metadata\": {\n \"deprecated\": false,\n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Insights/diagnosticSettings\"\n },\n \"then\": {\n \"effect\": \"denyAction\",\n \"details\": {\n \"actionNames\": [\n \"delete\"\n ]\n }\n }\n }\n }\n}", + "$fxv#112": "{\n \"name\": \"DenyAction-ActivityLogs\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"DenyAction implementation on Activity Logs\",\n \"description\": \"This is a DenyAction implementation policy on Activity Logs.\",\n \"metadata\": {\n \"deprecated\": false, \n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions/providers/diagnosticSettings\"\n },\n \"then\": {\n \"effect\": \"denyAction\",\n \"details\": {\n \"actionNames\": [\n \"delete\"\n ]\n }\n }\n }\n }\n}", + "$fxv#113": "{\n \"name\": \"Deploy-UserAssignedManagedIdentity-VMInsights\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"displayName\": \"[Deprecated]: Deploy User Assigned Managed Identity for VM Insights\",\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"description\": \"Policy is deprecated as it's no longer required. User-Assigned Management Identity is now centralized and deployed by Azure Landing Zones to the Management Subscription.\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Managed Identity\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"bringYourOwnUserAssignedManagedIdentity\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Bring Your Own User-Assigned Identity\",\n \"description\": \"Enable this to use your pre-created user-assigned managed identity. The pre-created identity MUST exist within the subscription otherwise the policy deployment will fail. If enabled, ensure that the User-Assigned Identity Name and Identity Resource Group Name parameters match the pre-created identity. If not enabled, the policy will create per subscription, per resource user-assigned managed identities in a new resource group named 'Built-In-Identity-RG'.\"\n },\n \"allowedValues\": [\n true,\n false\n ]\n },\n \"userAssignedIdentityName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User-Assigned Managed Identity Name\",\n \"description\": \"The name of the pre-created user-assigned managed identity.\"\n },\n \"defaultValue\": \"\"\n },\n \"identityResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User-Assigned Managed Identity Resource Group Name\",\n \"description\": \"The resource group in which the pre-created user-assigned managed identity resides.\"\n },\n \"defaultValue\": \"\"\n },\n \"builtInIdentityResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Built-In-Identity-RG Location\",\n \"description\": \"The location of the resource group 'Built-In-Identity-RG' created by the policy. This parameter is only used when 'Bring Your Own User Assigned Identity' parameter is false.\"\n },\n \"defaultValue\": \"eastus\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Policy Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match.\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n {\n \"value\": \"[[requestContext().apiVersion]\",\n \"greaterOrEquals\": \"2018-10-01\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Compute/virtualMachines\",\n \"name\": \"[[field('name')]\",\n \"evaluationDelay\": \"AfterProvisioning\",\n \"deploymentScope\": \"subscription\",\n \"existenceCondition\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"field\": \"identity.type\",\n \"contains\": \"UserAssigned\"\n },\n {\n \"field\": \"identity.userAssignedIdentities\",\n \"containsKey\": \"[[if(parameters('bringYourOwnUserAssignedManagedIdentity'), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('userAssignedIdentityName'))), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/Built-In-Identity-RG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/Built-In-Identity-', field('location')))]\"\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"identity.type\",\n \"equals\": \"UserAssigned\"\n },\n {\n \"value\": \"[[string(length(field('identity.userAssignedIdentities')))]\",\n \"equals\": \"1\"\n }\n ]\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"location\": \"eastus\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"bringYourOwnUserAssignedManagedIdentity\": {\n \"value\": \"[[parameters('bringYourOwnUserAssignedManagedIdentity')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"uaName\": {\n \"value\": \"[[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('userAssignedIdentityName'), 'Built-In-Identity')]\"\n },\n \"identityResourceGroup\": {\n \"value\": \"[[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('identityResourceGroup'), 'Built-In-Identity-RG')]\"\n },\n \"builtInIdentityResourceGroupLocation\": {\n \"value\": \"[[parameters('builtInIdentityResourceGroupLocation')]\"\n },\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"vmResourceGroup\": {\n \"value\": \"[[resourceGroup().name]\"\n },\n \"resourceId\": {\n \"value\": \"[[field('id')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.1\",\n \"parameters\": {\n \"bringYourOwnUserAssignedManagedIdentity\": {\n \"type\": \"bool\"\n },\n \"location\": {\n \"type\": \"string\"\n },\n \"uaName\": {\n \"type\": \"string\"\n },\n \"identityResourceGroup\": {\n \"type\": \"string\"\n },\n \"builtInIdentityResourceGroupLocation\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n },\n \"vmResourceGroup\": {\n \"type\": \"string\"\n },\n \"resourceId\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {\n \"uaNameWithLocation\": \"[[concat(parameters('uaName'),'-', parameters('location'))]\",\n \"precreatedUaId\": \"[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')))]\",\n \"autocreatedUaId\": \"[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')), '-', parameters('location'))]\",\n \"deployUALockName\": \"[[concat('deployUALock-', uniqueString(deployment().name))]\",\n \"deployUAName\": \"[[concat('deployUA-', uniqueString(deployment().name))]\",\n \"deployGetResourceProperties\": \"[[concat('deployGetResourceProperties-', uniqueString(deployment().name))]\",\n \"deployAssignUAName\": \"[[concat('deployAssignUA-', uniqueString(deployment().name))]\"\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"apiVersion\": \"2020-06-01\",\n \"name\": \"[[parameters('identityResourceGroup')]\",\n \"location\": \"[[parameters('builtInIdentityResourceGroupLocation')]\"\n },\n {\n \"condition\": \"[[parameters('bringYourOwnUserAssignedManagedIdentity')]\",\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2020-06-01\",\n \"name\": \"[[variables('deployUALockName')]\",\n \"resourceGroup\": \"[[parameters('identityResourceGroup')]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"uaName\": {\n \"value\": \"[[parameters('uaName')]\"\n },\n \"location\": {\n \"value\": \"[[parameters('location')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"uaName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.ManagedIdentity/userAssignedIdentities\",\n \"name\": \"[[parameters('uaName')]\",\n \"apiVersion\": \"2018-11-30\",\n \"location\": \"[[parameters('location')]\"\n }\n ]\n }\n }\n },\n {\n \"condition\": \"[[not(parameters('bringYourOwnUserAssignedManagedIdentity'))]\",\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2020-06-01\",\n \"name\": \"[[variables('deployUAName')]\",\n \"resourceGroup\": \"[[parameters('identityResourceGroup')]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"uaName\": {\n \"value\": \"[[variables('uaNameWithLocation')]\"\n },\n \"location\": {\n \"value\": \"[[parameters('location')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"uaName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.ManagedIdentity/userAssignedIdentities\",\n \"name\": \"[[parameters('uaName')]\",\n \"apiVersion\": \"2018-11-30\",\n \"location\": \"[[parameters('location')]\"\n },\n {\n \"type\": \"Microsoft.ManagedIdentity/userAssignedIdentities/providers/locks\",\n \"apiVersion\": \"2016-09-01\",\n \"name\": \"[[concat(parameters('uaName'), '/Microsoft.Authorization/', 'CanNotDeleteLock-', parameters('uaName'))]\",\n \"dependsOn\": [\n \"[[parameters('uaName')]\"\n ],\n \"properties\": {\n \"level\": \"CanNotDelete\",\n \"notes\": \"Please do not delete this User-Assigned Identity since extensions enabled by Azure Policy are relying on their existence.\"\n }\n }\n ]\n }\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2020-06-01\",\n \"name\": \"[[variables('deployGetResourceProperties')]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]\",\n \"[[variables('deployUAName')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"resources\": [],\n \"outputs\": {\n \"resource\": {\n \"type\": \"object\",\n \"value\": \"[[reference(parameters('resourceId'), '2019-07-01', 'Full')]\"\n }\n }\n }\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2020-06-01\",\n \"name\": \"[[concat(variables('deployAssignUAName'))]\",\n \"resourceGroup\": \"[[parameters('vmResourceGroup')]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]\",\n \"[[variables('deployUAName')]\",\n \"[[variables('deployGetResourceProperties')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"uaId\": {\n \"value\": \"[[if(parameters('bringYourOwnUserAssignedManagedIdentity'), variables('precreatedUaId'), variables('autocreatedUaId'))]\"\n },\n \"vmName\": {\n \"value\": \"[[parameters('vmName')]\"\n },\n \"location\": {\n \"value\": \"[[parameters('location')]\"\n },\n \"identityType\": {\n \"value\": \"[[if(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.type, '')]\"\n },\n \"userAssignedIdentities\": {\n \"value\": \"[[if(and(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), contains(reference(variables('deployGetResourceProperties')).outputs.resource.value.identity, 'userAssignedIdentities')), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.userAssignedIdentities, createObject())]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"uaId\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n },\n \"identityType\": {\n \"type\": \"string\"\n },\n \"userAssignedIdentities\": {\n \"type\": \"object\"\n }\n },\n \"variables\": {\n \"identityTypeValue\": \"[[if(contains(parameters('identityType'), 'SystemAssigned'), 'SystemAssigned,UserAssigned', 'UserAssigned')]\",\n \"userAssignedIdentitiesValue\": \"[[union(parameters('userAssignedIdentities'), createObject(parameters('uaId'), createObject()))]\",\n \"resourceWithSingleUAI\": \"[[and(equals(parameters('identityType'), 'UserAssigned'), equals(string(length(parameters('userAssignedIdentities'))), '1'))]\"\n },\n \"resources\": [\n {\n \"condition\": \"[[not(variables('resourceWithSingleUAI'))]\",\n \"apiVersion\": \"2019-07-01\",\n \"type\": \"Microsoft.Compute/virtualMachines\",\n \"name\": \"[[parameters('vmName')]\",\n \"location\": \"[[parameters('location')]\",\n \"identity\": {\n \"type\": \"[[variables('identityTypeValue')]\",\n \"userAssignedIdentities\": \"[[variables('userAssignedIdentitiesValue')]\"\n }\n }\n ]\n }\n }\n }\n ]\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#114": "{\n \"name\": \"Deploy-MDFC-Arc-SQL-DCR-Association\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Configure Arc-enabled SQL Servers with DCR Association to Microsoft Defender for SQL user-defined DCR\",\n \"description\": \"Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/2227e1f1-23dd-4c3a-85a9-7024a401d8b2.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"2227e1f1-23dd-4c3a-85a9-7024a401d8b2\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.HybridCompute/machines\"\n },\n {\n \"field\": \"Microsoft.HybridCompute/machines/osName\",\n \"equals\": \"Windows\"\n },\n {\n \"field\": \"Microsoft.HybridCompute/machines/mssqlDiscovered\",\n \"equals\": \"true\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/dataCollectionRuleAssociations\",\n \"name\": \"MicrosoftDefenderForSQL-RulesAssociation\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceGroup\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n },\n \"workspaceRegion\": {\n \"type\": \"string\"\n },\n \"dcrName\": {\n \"type\": \"string\"\n },\n \"dcrResourceGroup\": {\n \"type\": \"string\"\n },\n \"dcrId\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {\n \"locationLongNameToShortMap\": {\n \"australiacentral\": \"CAU\",\n \"australiaeast\": \"EAU\",\n \"australiasoutheast\": \"SEAU\",\n \"brazilsouth\": \"CQ\",\n \"canadacentral\": \"CCA\",\n \"canadaeast\": \"CCA\",\n \"centralindia\": \"CIN\",\n \"centralus\": \"CUS\",\n \"eastasia\": \"EA\",\n \"eastus2euap\": \"eus2p\",\n \"eastus\": \"EUS\",\n \"eastus2\": \"EUS2\",\n \"francecentral\": \"PAR\",\n \"germanywestcentral\": \"DEWC\",\n \"japaneast\": \"EJP\",\n \"jioindiawest\": \"CIN\",\n \"koreacentral\": \"SE\",\n \"koreasouth\": \"SE\",\n \"northcentralus\": \"NCUS\",\n \"northeurope\": \"NEU\",\n \"norwayeast\": \"NOE\",\n \"southafricanorth\": \"JNB\",\n \"southcentralus\": \"SCUS\",\n \"southeastasia\": \"SEA\",\n \"southindia\": \"CIN\",\n \"swedencentral\": \"SEC\",\n \"switzerlandnorth\": \"CHN\",\n \"switzerlandwest\": \"CHW\",\n \"uaenorth\": \"DXB\",\n \"uksouth\": \"SUK\",\n \"ukwest\": \"WUK\",\n \"westcentralus\": \"WCUS\",\n \"westeurope\": \"WEU\",\n \"westindia\": \"CIN\",\n \"westus\": \"WUS\",\n \"westus2\": \"WUS2\"\n },\n \"locationCode\": \"[[if(contains(variables('locationLongNameToShortMap'), parameters('workspaceRegion')), variables('locationLongNameToShortMap')[parameters('workspaceRegion')], parameters('workspaceRegion'))]\",\n \"subscriptionId\": \"[[subscription().subscriptionId]\",\n \"defaultRGName\": \"[[parameters('resourceGroup')]\",\n \"dcrName\": \"[[parameters('dcrName')]\",\n \"dcrId\": \"[[parameters('dcrId')]\",\n \"dcraName\": \"[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]\"\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.HybridCompute/machines/providers/dataCollectionRuleAssociations\",\n \"name\": \"[[variables('dcraName')]\",\n \"apiVersion\": \"2021-04-01\",\n \"properties\": {\n \"description\": \"Configure association between Arc-enabled SQL Server and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Server.\",\n \"dataCollectionRuleId\": \"[[variables('dcrId')]\"\n }\n }\n ]\n },\n \"parameters\": {\n \"resourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#115": "{\n \"name\": \"Deploy-MDFC-Arc-Sql-DefenderSQL-DCR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Configure Arc-enabled SQL Servers to auto install Microsoft Defender for SQL and DCR with a user-defined LAW\",\n \"description\": \"Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/63d03cbd-47fd-4ee1-8a1c-9ddf07303de0.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"63d03cbd-47fd-4ee1-8a1c-9ddf07303de0\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace Resource Id\",\n \"description\": \"Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable collection of SQL queries for security research\",\n \"description\": \"Enable or disable the collection of SQL queries for security research.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.HybridCompute/machines\"\n },\n {\n \"field\": \"Microsoft.HybridCompute/machines/osName\",\n \"equals\": \"Windows\"\n },\n {\n \"field\": \"Microsoft.HybridCompute/machines/mssqlDiscovered\",\n \"equals\": \"true\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/dataCollectionRules\",\n \"deploymentScope\": \"subscription\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('workspaceRegion')]\"\n },\n {\n \"field\": \"name\",\n \"equals\": \"[[parameters('dcrName')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"eastus\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceGroup\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"string\"\n },\n \"workspaceRegion\": {\n \"type\": \"string\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"bool\"\n },\n \"dcrName\": {\n \"type\": \"string\"\n },\n \"dcrResourceGroup\": {\n \"type\": \"string\"\n },\n \"dcrId\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {\n \"locationLongNameToShortMap\": {\n \"australiacentral\": \"CAU\",\n \"australiaeast\": \"EAU\",\n \"australiasoutheast\": \"SEAU\",\n \"brazilsouth\": \"CQ\",\n \"canadacentral\": \"CCA\",\n \"canadaeast\": \"CCA\",\n \"centralindia\": \"CIN\",\n \"centralus\": \"CUS\",\n \"eastasia\": \"EA\",\n \"eastus2euap\": \"eus2p\",\n \"eastus\": \"EUS\",\n \"eastus2\": \"EUS2\",\n \"francecentral\": \"PAR\",\n \"germanywestcentral\": \"DEWC\",\n \"japaneast\": \"EJP\",\n \"jioindiawest\": \"CIN\",\n \"koreacentral\": \"SE\",\n \"koreasouth\": \"SE\",\n \"northcentralus\": \"NCUS\",\n \"northeurope\": \"NEU\",\n \"norwayeast\": \"NOE\",\n \"southafricanorth\": \"JNB\",\n \"southcentralus\": \"SCUS\",\n \"southeastasia\": \"SEA\",\n \"southindia\": \"CIN\",\n \"swedencentral\": \"SEC\",\n \"switzerlandnorth\": \"CHN\",\n \"switzerlandwest\": \"CHW\",\n \"uaenorth\": \"DXB\",\n \"uksouth\": \"SUK\",\n \"ukwest\": \"WUK\",\n \"westcentralus\": \"WCUS\",\n \"westeurope\": \"WEU\",\n \"westindia\": \"CIN\",\n \"westus\": \"WUS\",\n \"westus2\": \"WUS2\"\n },\n \"locationCode\": \"[[if(contains(variables('locationLongNameToShortMap'), parameters('workspaceRegion')), variables('locationLongNameToShortMap')[parameters('workspaceRegion')], parameters('workspaceRegion'))]\",\n \"subscriptionId\": \"[[subscription().subscriptionId]\",\n \"defaultRGName\": \"[[parameters('resourceGroup')]\",\n \"defaultRGLocation\": \"[[parameters('workspaceRegion')]\",\n \"dcrName\": \"[[parameters('dcrName')]\",\n \"dcrId\": \"[[parameters('dcrId')]\",\n \"dcraName\": \"[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]\",\n \"deployDataCollectionRules\": \"[[concat('deployDataCollectionRules-', uniqueString(deployment().name))]\",\n \"deployDataCollectionRulesAssociation\": \"[[concat('deployDataCollectionRulesAssociation-', uniqueString(deployment().name))]\"\n },\n \"resources\": [\n {\n \"condition\": \"[[empty(parameters('dcrResourceGroup'))]\",\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"name\": \"[[variables('defaultRGName')]\",\n \"apiVersion\": \"2022-09-01\",\n \"location\": \"[[variables('defaultRGLocation')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n }\n },\n {\n \"condition\": \"[[empty(parameters('dcrId'))]\",\n \"type\": \"Microsoft.Resources/deployments\",\n \"name\": \"[[variables('deployDataCollectionRules')]\",\n \"apiVersion\": \"2022-09-01\",\n \"resourceGroup\": \"[[variables('defaultRGName')]\",\n \"dependsOn\": [\n \"[[variables('defaultRGName')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"defaultRGLocation\": {\n \"value\": \"[[variables('defaultRGLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"dcrName\": {\n \"value\": \"[[variables('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[variables('dcrId')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"defaultRGLocation\": {\n \"type\": \"string\"\n },\n \"workspaceResourceId\": {\n \"type\": \"string\"\n },\n \"dcrName\": {\n \"type\": \"string\"\n },\n \"dcrId\": {\n \"type\": \"string\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"bool\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Insights/dataCollectionRules\",\n \"name\": \"[[parameters('dcrName')]\",\n \"apiVersion\": \"2021-04-01\",\n \"location\": \"[[parameters('defaultRGLocation')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n },\n \"properties\": {\n \"description\": \"Data collection rule for Microsoft Defender for SQL. Deleting this rule will break the detection of security vulnerabilities.\",\n \"dataSources\": {\n \"extensions\": [\n {\n \"extensionName\": \"MicrosoftDefenderForSQL\",\n \"name\": \"MicrosoftDefenderForSQL\",\n \"streams\": [\n \"Microsoft-DefenderForSqlAlerts\",\n \"Microsoft-DefenderForSqlLogins\",\n \"Microsoft-DefenderForSqlTelemetry\",\n \"Microsoft-DefenderForSqlScanEvents\",\n \"Microsoft-DefenderForSqlScanResults\"\n ],\n \"extensionSettings\": {\n \"enableCollectionOfSqlQueriesForSecurityResearch\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n }\n }\n ]\n },\n \"destinations\": {\n \"logAnalytics\": [\n {\n \"workspaceResourceId\": \"[[parameters('workspaceResourceId')]\",\n \"name\": \"LogAnalyticsDest\"\n }\n ]\n },\n \"dataFlows\": [\n {\n \"streams\": [\n \"Microsoft-DefenderForSqlAlerts\",\n \"Microsoft-DefenderForSqlLogins\",\n \"Microsoft-DefenderForSqlTelemetry\",\n \"Microsoft-DefenderForSqlScanEvents\",\n \"Microsoft-DefenderForSqlScanResults\"\n ],\n \"destinations\": [\n \"LogAnalyticsDest\"\n ]\n }\n ]\n }\n }\n ]\n }\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"name\": \"[[variables('deployDataCollectionRulesAssociation')]\",\n \"apiVersion\": \"2022-09-01\",\n \"resourceGroup\": \"[[parameters('resourceGroup')]\",\n \"dependsOn\": [\n \"[[variables('deployDataCollectionRules')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"dcrId\": {\n \"value\": \"[[variables('dcrId')]\"\n },\n \"dcraName\": {\n \"value\": \"[[variables('dcraName')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"dcrId\": {\n \"type\": \"string\"\n },\n \"dcraName\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.HybridCompute/machines/providers/dataCollectionRuleAssociations\",\n \"name\": \"[[parameters('dcraName')]\",\n \"apiVersion\": \"2021-04-01\",\n \"properties\": {\n \"description\": \"Configure association between Arc-enabled SQL Server and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Server.\",\n \"dataCollectionRuleId\": \"[[parameters('dcrId')]\"\n }\n }\n ]\n }\n }\n }\n ]\n },\n \"parameters\": {\n \"resourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#116": "{\n \"name\": \"Deploy-MDFC-SQL-AMA\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Configure SQL Virtual Machines to automatically install Azure Monitor Agent\",\n \"description\": \"Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/f91991d1-5383-4c95-8ee5-5ac423dd8bb1.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"f91991d1-5383-4c95-8ee5-5ac423dd8bb1\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"identityResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Identity Resource Group\",\n \"description\": \"The name of the resource group created by the policy.\"\n },\n \"defaultValue\": \"\"\n },\n \"userAssignedIdentityName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User Assigned Managed Identity Name\",\n \"description\": \"The name of the user assigned managed identity.\"\n },\n \"defaultValue\": \"\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\n \"like\": \"Windows*\"\n },\n {\n \"field\": \"Microsoft.Compute/imagePublisher\",\n \"equals\": \"microsoftsqlserver\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"evaluationDelay\": \"AfterProvisioning\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"\n ],\n \"name\": \"[[concat(field('fullName'), '/AzureMonitorWindowsAgent')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/type\",\n \"equals\": \"AzureMonitorWindowsAgent\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/publisher\",\n \"equals\": \"Microsoft.Azure.Monitor\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\n \"in\": [\n \"Succeeded\",\n \"Provisioning succeeded\"\n ]\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"vmName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n },\n \"userAssignedManagedIdentity\": {\n \"type\": \"string\"\n },\n \"userAssignedIdentityName\": {\n \"type\": \"string\"\n },\n \"identityResourceGroup\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {\n \"extensionName\": \"AzureMonitorWindowsAgent\",\n \"extensionPublisher\": \"Microsoft.Azure.Monitor\",\n \"extensionType\": \"AzureMonitorWindowsAgent\",\n \"extensionTypeHandlerVersion\": \"1.2\"\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('vmName'), '/', variables('extensionName'))]\",\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"location\": \"[[parameters('location')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n },\n \"apiVersion\": \"2023-03-01\",\n \"properties\": {\n \"publisher\": \"[[variables('extensionPublisher')]\",\n \"type\": \"[[variables('extensionType')]\",\n \"typeHandlerVersion\": \"[[variables('extensionTypeHandlerVersion')]\",\n \"autoUpgradeMinorVersion\": true,\n \"enableAutomaticUpgrade\": true,\n \"settings\": {\n \"authentication\": {\n \"managedIdentity\": {\n \"identifier-name\": \"mi_res_id\",\n \"identifier-value\": \"[[parameters('userAssignedManagedIdentity')]\"\n }\n }\n }\n }\n }\n ]\n },\n \"parameters\": {\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"userAssignedManagedIdentity\": {\n \"value\": \"[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('userAssignedIdentityName')))]\"\n },\n \"userAssignedIdentityName\": {\n \"value\": \"[[parameters('userAssignedIdentityName')]\"\n },\n \"identityResourceGroup\": {\n \"value\": \"[[parameters('identityResourceGroup')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#117": "{\n \"name\": \"Deploy-MDFC-SQL-DefenderSQL-DCR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Configure SQL Virtual Machines to auto install Microsoft Defender for SQL and DCR with a user-defined LAW\",\n \"description\": \"Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/04754ef9-9ae3-4477-bf17-86ef50026304.html\",\n \"metadata\": {\n \"version\": \"1.0.1-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"04754ef9-9ae3-4477-bf17-86ef50026304\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace Resource Id\",\n \"description\": \"Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable collection of SQL queries for security research\",\n \"description\": \"Enable or disable the collection of SQL queries for security research.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\n \"like\": \"Windows*\"\n },\n {\n \"field\": \"Microsoft.Compute/imagePublisher\",\n \"equals\": \"microsoftsqlserver\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/dataCollectionRules\",\n \"evaluationDelay\": \"AfterProvisioning\",\n \"deploymentScope\": \"subscription\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('workspaceRegion')]\"\n },\n {\n \"field\": \"name\",\n \"equals\": \"[[parameters('dcrName')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"eastus\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceGroup\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"string\"\n },\n \"workspaceRegion\": {\n \"type\": \"string\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"bool\"\n },\n \"dcrName\": {\n \"type\": \"string\"\n },\n \"dcrResourceGroup\": {\n \"type\": \"string\"\n },\n \"dcrId\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {\n \"locationLongNameToShortMap\": {\n \"australiacentral\": \"CAU\",\n \"australiaeast\": \"EAU\",\n \"australiasoutheast\": \"SEAU\",\n \"brazilsouth\": \"CQ\",\n \"canadacentral\": \"CCA\",\n \"canadaeast\": \"CCA\",\n \"centralindia\": \"CIN\",\n \"centralus\": \"CUS\",\n \"eastasia\": \"EA\",\n \"eastus2euap\": \"eus2p\",\n \"eastus\": \"EUS\",\n \"eastus2\": \"EUS2\",\n \"francecentral\": \"PAR\",\n \"germanywestcentral\": \"DEWC\",\n \"japaneast\": \"EJP\",\n \"jioindiawest\": \"CIN\",\n \"koreacentral\": \"SE\",\n \"koreasouth\": \"SE\",\n \"northcentralus\": \"NCUS\",\n \"northeurope\": \"NEU\",\n \"norwayeast\": \"NOE\",\n \"southafricanorth\": \"JNB\",\n \"southcentralus\": \"SCUS\",\n \"southeastasia\": \"SEA\",\n \"southindia\": \"CIN\",\n \"swedencentral\": \"SEC\",\n \"switzerlandnorth\": \"CHN\",\n \"switzerlandwest\": \"CHW\",\n \"uaenorth\": \"DXB\",\n \"uksouth\": \"SUK\",\n \"ukwest\": \"WUK\",\n \"westcentralus\": \"WCUS\",\n \"westeurope\": \"WEU\",\n \"westindia\": \"CIN\",\n \"westus\": \"WUS\",\n \"westus2\": \"WUS2\"\n },\n \"locationCode\": \"[[if(contains(variables('locationLongNameToShortMap'), parameters('workspaceRegion')), variables('locationLongNameToShortMap')[parameters('workspaceRegion')], parameters('workspaceRegion'))]\",\n \"subscriptionId\": \"[[subscription().subscriptionId]\",\n \"defaultRGName\": \"[[parameters('dcrResourceGroup')]\",\n \"defaultRGLocation\": \"[[parameters('workspaceRegion')]\",\n \"dcrName\": \"[[parameters('dcrName')]\",\n \"dcrId\": \"[[parameters('dcrId')]\",\n \"dcraName\": \"[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]\",\n \"deployDataCollectionRules\": \"[[concat('deployDataCollectionRules-', uniqueString(deployment().name))]\",\n \"deployDataCollectionRulesAssociation\": \"[[concat('deployDataCollectionRulesAssociation-', uniqueString(deployment().name))]\",\n \"deployDefenderForSQL\": \"[[concat('deployDefenderForSQL-', uniqueString(deployment().name))]\"\n },\n \"resources\": [\n {\n \"condition\": \"[[empty(parameters('dcrResourceGroup'))]\",\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"name\": \"[[variables('defaultRGName')]\",\n \"apiVersion\": \"2022-09-01\",\n \"location\": \"[[variables('defaultRGLocation')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"name\": \"[[variables('deployDefenderForSQL')]\",\n \"apiVersion\": \"2022-09-01\",\n \"resourceGroup\": \"[[parameters('resourceGroup')]\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[parameters('location')]\"\n },\n \"vmName\": {\n \"value\": \"[[parameters('vmName')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"name\": \"[[concat(parameters('vmName'), '/', 'MicrosoftDefenderForSQL')]\",\n \"apiVersion\": \"2023-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n },\n \"properties\": {\n \"publisher\": \"Microsoft.Azure.AzureDefenderForSQL\",\n \"type\": \"AdvancedThreatProtection.Windows\",\n \"typeHandlerVersion\": \"2.0\",\n \"autoUpgradeMinorVersion\": true,\n \"enableAutomaticUpgrade\": true\n }\n }\n ]\n }\n }\n },\n {\n \"condition\": \"[[empty(parameters('dcrId'))]\",\n \"type\": \"Microsoft.Resources/deployments\",\n \"name\": \"[[variables('deployDataCollectionRules')]\",\n \"apiVersion\": \"2022-09-01\",\n \"resourceGroup\": \"[[variables('defaultRGName')]\",\n \"dependsOn\": [\n \"[[variables('defaultRGName')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"defaultRGLocation\": {\n \"value\": \"[[variables('defaultRGLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"dcrName\": {\n \"value\": \"[[variables('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[variables('dcrId')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"defaultRGLocation\": {\n \"type\": \"string\"\n },\n \"workspaceResourceId\": {\n \"type\": \"string\"\n },\n \"dcrName\": {\n \"type\": \"string\"\n },\n \"dcrId\": {\n \"type\": \"string\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"bool\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Insights/dataCollectionRules\",\n \"name\": \"[[parameters('dcrName')]\",\n \"apiVersion\": \"2021-04-01\",\n \"location\": \"[[parameters('defaultRGLocation')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n },\n \"properties\": {\n \"description\": \"Data collection rule for Microsoft Defender for SQL. Deleting this rule will break the detection of security vulnerabilities.\",\n \"dataSources\": {\n \"extensions\": [\n {\n \"extensionName\": \"MicrosoftDefenderForSQL\",\n \"name\": \"MicrosoftDefenderForSQL\",\n \"streams\": [\n \"Microsoft-DefenderForSqlAlerts\",\n \"Microsoft-DefenderForSqlLogins\",\n \"Microsoft-DefenderForSqlTelemetry\",\n \"Microsoft-DefenderForSqlScanEvents\",\n \"Microsoft-DefenderForSqlScanResults\"\n ],\n \"extensionSettings\": {\n \"enableCollectionOfSqlQueriesForSecurityResearch\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n }\n }\n ]\n },\n \"destinations\": {\n \"logAnalytics\": [\n {\n \"workspaceResourceId\": \"[[parameters('workspaceResourceId')]\",\n \"name\": \"LogAnalyticsDest\"\n }\n ]\n },\n \"dataFlows\": [\n {\n \"streams\": [\n \"Microsoft-DefenderForSqlAlerts\",\n \"Microsoft-DefenderForSqlLogins\",\n \"Microsoft-DefenderForSqlTelemetry\",\n \"Microsoft-DefenderForSqlScanEvents\",\n \"Microsoft-DefenderForSqlScanResults\"\n ],\n \"destinations\": [\n \"LogAnalyticsDest\"\n ]\n }\n ]\n }\n }\n ]\n }\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"name\": \"[[variables('deployDataCollectionRulesAssociation')]\",\n \"apiVersion\": \"2022-09-01\",\n \"resourceGroup\": \"[[parameters('resourceGroup')]\",\n \"dependsOn\": [\n \"[[variables('deployDataCollectionRules')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"parameters\": {\n \"dcrId\": {\n \"value\": \"[[variables('dcrId')]\"\n },\n \"dcraName\": {\n \"value\": \"[[variables('dcraName')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"dcrId\": {\n \"type\": \"string\"\n },\n \"dcraName\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations\",\n \"name\": \"[[parameters('dcraName')]\",\n \"apiVersion\": \"2021-04-01\",\n \"properties\": {\n \"description\": \"Configure association between SQL Virtual Machine and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this SQL Virtual Machine.\",\n \"dataCollectionRuleId\": \"[[parameters('dcrId')]\"\n }\n }\n ]\n }\n }\n }\n ]\n },\n \"parameters\": {\n \"resourceGroup\": {\n \"value\": \"[[resourceGroup().name]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#118": "{\n \"name\": \"Deploy-MDFC-SQL-DefenderSQL\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"displayName\": \"[Deprecated]: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL\",\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"description\": \"Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\n \"like\": \"Windows*\"\n },\n {\n \"field\": \"Microsoft.Compute/imagePublisher\",\n \"equals\": \"microsoftsqlserver\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"name\": \"[[concat(field('fullName'), '/MicrosoftDefenderForSQL')]\",\n \"evaluationDelay\": \"AfterProvisioning\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/type\",\n \"equals\": \"AdvancedThreatProtection.Windows\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/publisher\",\n \"equals\": \"Microsoft.Azure.AzureDefenderForSQL\"\n },\n {\n \"field\": \"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\n \"in\": [\n \"Succeeded\",\n \"Provisioning succeeded\"\n ]\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"string\"\n },\n \"vmName\": {\n \"type\": \"string\"\n },\n \"workspaceRegion\": {\n \"type\": \"string\"\n },\n \"dcrResourceGroup\": {\n \"type\": \"string\"\n },\n \"dcrName\": {\n \"type\": \"string\"\n },\n \"dcrId\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {\n \"locationLongNameToShortMap\": {\n \"australiacentral\": \"CAU\",\n \"australiaeast\": \"EAU\",\n \"australiasoutheast\": \"SEAU\",\n \"brazilsouth\": \"CQ\",\n \"canadacentral\": \"CCA\",\n \"canadaeast\": \"CCA\",\n \"centralindia\": \"CIN\",\n \"centralus\": \"CUS\",\n \"eastasia\": \"EA\",\n \"eastus2euap\": \"eus2p\",\n \"eastus\": \"EUS\",\n \"eastus2\": \"EUS2\",\n \"francecentral\": \"PAR\",\n \"germanywestcentral\": \"DEWC\",\n \"japaneast\": \"EJP\",\n \"jioindiawest\": \"CIN\",\n \"koreacentral\": \"SE\",\n \"koreasouth\": \"SE\",\n \"northcentralus\": \"NCUS\",\n \"northeurope\": \"NEU\",\n \"norwayeast\": \"NOE\",\n \"southafricanorth\": \"JNB\",\n \"southcentralus\": \"SCUS\",\n \"southeastasia\": \"SEA\",\n \"southindia\": \"CIN\",\n \"swedencentral\": \"SEC\",\n \"switzerlandnorth\": \"CHN\",\n \"switzerlandwest\": \"CHW\",\n \"uaenorth\": \"DXB\",\n \"uksouth\": \"SUK\",\n \"ukwest\": \"WUK\",\n \"westcentralus\": \"WCUS\",\n \"westeurope\": \"WEU\",\n \"westindia\": \"CIN\",\n \"westus\": \"WUS\",\n \"westus2\": \"WUS2\"\n },\n \"actualLocation\": \"[[if(empty(parameters('workspaceRegion')), parameters('location'), parameters('workspaceRegion'))]\",\n \"locationCode\": \"[[if(contains(variables('locationLongNameToShortMap'), variables('actualLocation')), variables('locationLongNameToShortMap')[variables('actualLocation')], variables('actualLocation'))]\",\n \"subscriptionId\": \"[[subscription().subscriptionId]\",\n \"defaultRGName\": \"[[parameters('dcrResourceGroup')]\",\n \"dcrName\": \"[[parameters('dcrName')]\",\n \"dcrId\": \"[[parameters('dcrId')]\",\n \"dcraName\": \"[[concat(parameters('vmName'),'/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation')]\"\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Compute/virtualMachines/extensions\",\n \"name\": \"[[concat(parameters('vmName'), '/', 'MicrosoftDefenderForSQL')]\",\n \"apiVersion\": \"2023-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"tags\": {\n \"createdBy\": \"MicrosoftDefenderForSQL\"\n },\n \"properties\": {\n \"publisher\": \"Microsoft.Azure.AzureDefenderForSQL\",\n \"type\": \"AdvancedThreatProtection.Windows\",\n \"typeHandlerVersion\": \"2.0\",\n \"autoUpgradeMinorVersion\": true,\n \"enableAutomaticUpgrade\": true\n },\n \"dependsOn\": [\n \"[[extensionResourceId(concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Compute/virtualMachines/', parameters('vmName')), 'Microsoft.Insights/dataCollectionRuleAssociations','MicrosoftDefenderForSQL-RulesAssociation')]\"\n ]\n },\n {\n \"type\": \"Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations\",\n \"name\": \"[[variables('dcraName')]\",\n \"apiVersion\": \"2021-04-01\",\n \"properties\": {\n \"description\": \"Configure association between SQL Virtual Machine and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this SQL Virtual Machine.\",\n \"dataCollectionRuleId\": \"[[variables('dcrId')]\"\n }\n }\n ]\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"vmName\": {\n \"value\": \"[[field('name')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#119": "{\n \"name\": \"Deny-APIM-TLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"API Management services should use TLS version 1.2\",\n \"description\": \"Azure API Management service should use TLS version 1.2\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"API Management\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.ApiManagement/service\"\n },\n {\n \"anyOf\": [\n {\n \"value\": \"[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\\\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls10\\\":\\\"true\\\"')]\",\n \"greater\": 0\n },\n {\n \"value\": \"[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\\\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls10\\\":true')]\",\n \"greater\": 0\n },\n {\n \"value\": \"[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\\\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls11\\\":\\\"true\\\"')]\",\n \"greater\": 0\n },\n {\n \"value\": \"[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\\\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls11\\\":true')]\",\n \"greater\": 0\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#12": "{\n \"name\": \"Deny-AppServiceApiApp-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"API App should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"like\": \"*api\"\n },\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"equals\": \"false\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#120": "{\n \"name\": \"Deny-AppGw-Without-Tls\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Application Gateway should be deployed with predefined Microsoft policy that is using TLS version 1.2\",\n \"description\": \"This policy enables you to restrict that Application Gateways is always deployed with predefined Microsoft policy that is using TLS version 1.2\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"predefinedPolicyName\": {\n \"type\": \"array\",\n \"metadata\": {\n \"displayName\": \"Predefined policy name\",\n \"description\": \"Predefined policy name\"\n },\n \"defaultValue\": [\n \"AppGwSslPolicy20220101\",\n \"AppGwSslPolicy20170401S\",\n \"AppGwSslPolicy20220101S\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/applicationGateways\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/applicationGateways/sslPolicy.policyType\",\n \"notEquals\": \"Predefined\"\n },\n {\n \"field\": \"Microsoft.Network/applicationGateways/sslPolicy.policyType\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Network/applicationGateways/sslPolicy.policyName\",\n \"notIn\": \"[[parameters('predefinedPolicyName')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#121": "{\n \"name\": \"Deny-AppService-without-BYOC\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"App Service certificates must be stored in Key Vault\",\n \"description\": \"App Service (including Logic apps and Function apps) must use certificates stored in Key Vault\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/certificates\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Web/certificates/keyVaultId\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Web/certificates/keyVaultSecretName\",\n \"exists\": \"false\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#122": "{\n \"name\": \"Deny-AzFw-Without-Policy\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Azure Firewall should have a default Firewall Policy\",\n \"description\": \"This policy denies the creation of Azure Firewall without a default Firewall Policy.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/azureFirewalls\"\n },\n {\n \"field\": \"Microsoft.Network/azureFirewalls/firewallPolicy.id\",\n \"exists\": \"false\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#123": "{\n \"name\": \"Deny-CognitiveServices-NetworkAcls\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Network ACLs should be restricted for Cognitive Services\",\n \"description\": \"Azure Cognitive Services should not allow adding individual IPs or virtual network rules to the service-level firewall. Enable this to restrict inbound network access and enforce the usage of private endpoints.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.CognitiveServices/accounts\"\n },\n {\n \"anyOf\": [\n {\n \"count\": {\n \"field\": \"Microsoft.CognitiveServices/accounts/networkAcls.ipRules[*]\"\n },\n \"greater\": 0\n },\n {\n \"count\": {\n \"field\": \"Microsoft.CognitiveServices/accounts/networkAcls.virtualNetworkRules[*]\"\n },\n \"greater\": 0\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#124": "{\n \"name\": \"Deny-CognitiveServices-Resource-Kinds\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Only explicit kinds for Cognitive Services should be allowed\",\n \"description\": \"Azure Cognitive Services should only create explicit allowed kinds.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"allowedKinds\": {\n \"type\": \"array\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Select the allowed resource kinds to be used with Cognitive Services\"\n },\n \"allowedValues\": [\n \"AnomalyDetector\",\n \"ComputerVision\",\n \"CognitiveServices\",\n \"ContentModerator\",\n \"CustomVision.Training\",\n \"CustomVision.Prediction\",\n \"Face\",\n \"FormRecognizer\",\n \"ImmersiveReader\",\n \"LUIS\",\n \"Personalizer\",\n \"SpeechServices\",\n \"TextAnalytics\",\n \"TextTranslation\",\n \"OpenAI\"\n ],\n \"defaultValue\": [\n \"AnomalyDetector\",\n \"ComputerVision\",\n \"CognitiveServices\",\n \"ContentModerator\",\n \"CustomVision.Training\",\n \"CustomVision.Prediction\",\n \"Face\",\n \"FormRecognizer\",\n \"ImmersiveReader\",\n \"LUIS\",\n \"Personalizer\",\n \"SpeechServices\",\n \"TextAnalytics\",\n \"TextTranslation\",\n \"OpenAI\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.CognitiveServices/accounts\"\n },\n {\n \"field\": \"kind\",\n \"notIn\": \"[[parameters('allowedKinds')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#125": "{\n \"name\": \"Deny-CognitiveServices-RestrictOutboundNetworkAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Outbound network access should be restricted for Cognitive Services\",\n \"description\": \"Azure Cognitive Services allow restricting outbound network access. Enable this to limit outbound connectivity for the service.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.CognitiveServices/accounts\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.CognitiveServices/accounts/restrictOutboundNetworkAccess\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.CognitiveServices/accounts/restrictOutboundNetworkAccess\",\n \"notEquals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#126": "{\n \"name\": \"Deny-EH-minTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Event Hub namespaces should use a valid TLS version\",\n \"description\": \"Event Hub namespaces should use a valid TLS version.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Event Hub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minTlsVersion\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Minimum TLS Version\",\n \"description\": \"Minimum TLS version to be used by Event Hub\"\n },\n \"defaultValue\": \"1.2\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.EventHub/namespaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.EventHub/namespaces/minimumTlsVersion\",\n \"less\": \"[[parameters('minTlsVersion')]\"\n },\n {\n \"field\": \"Microsoft.EventHub/namespaces/minimumTlsVersion\",\n \"exists\": \"false\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#127": "{\n \"name\": \"Deny-EH-Premium-CMK\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Event Hub namespaces (Premium) should use a customer-managed key for encryption\",\n \"description\": \"Event Hub namespaces (Premium) should use a customer-managed key for encryption.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Hub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.EventHub/namespaces\"\n },\n {\n \"field\": \"Microsoft.EventHub/namespaces/sku.name\",\n \"equals\": \"Premium\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.EventHub/namespaces/encryption.keySource\",\n \"equals\": \"Microsoft.Keyvault\"\n }\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#128": "{\n \"name\": \"Deny-LogicApp-Public-Network\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Logic apps should disable public network access\",\n \"description\": \"Disabling public network access improves security by ensuring that the Logic App is not exposed on the public internet. Creating private endpoints can limit exposure of a Logic App. Learn more at: https://aka.ms/app-service-private-endpoint.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Logic Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"contains\": \"workflowapp\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Web/sites/publicNetworkAccess\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Web/sites/publicNetworkAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#129": "{\n \"name\": \"Deny-LogicApps-Without-Https\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Logic app should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Logic Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"contains\": \"workflowapp\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"equals\": \"false\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#13": "{\n \"name\": \"Deny-AppServiceFunctionApp-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Function App should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"like\": \"functionapp*\"\n },\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"equals\": \"false\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#130": "{\n \"name\": \"Deny-Service-Endpoints\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deny or Audit service endpoints on subnets\",\n \"description\": \"This Policy will deny/audit Service Endpoints on subnets. Service Endpoints allows the network traffic to bypass Network appliances, such as the Azure Firewall.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks/subnets\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets/serviceEndpoints[*]\",\n \"where\": {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets/serviceEndpoints[*].service\",\n \"exists\": true\n }\n },\n \"greater\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#131": "{\n \"name\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Storage Accounts should use a container delete retention policy\",\n \"description\": \"Enforce container delete retention policies larger than seven days for storage account. Enable this for increased data loss protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Minimum Container Delete Retention in Days\",\n \"description\": \"Specifies the minimum number of days for the container delete retention policy\"\n },\n \"defaultValue\": 7\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/blobServices\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.enabled\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.enabled\",\n \"notEquals\": true\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.days\",\n \"less\": \"[[parameters('minContainerDeleteRetentionInDays')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#132": "{\n \"name\": \"Deny-Storage-CopyScope\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Allowed Copy scope should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should restrict the allowed copy scope. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"allowedCopyScope\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Allowed Copy Scope\",\n \"description\": \"Specify the allowed copy scope.\"\n },\n \"allowedValues\": [\n \"AAD\",\n \"PrivateLink\"\n ],\n \"defaultValue\": \"AAD\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/allowedCopyScope\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/allowedCopyScope\",\n \"notEquals\": \"[[parameters('allowedCopyScope')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#133": "{\n \"name\": \"Deny-Storage-CorsRules\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Storage Accounts should restrict CORS rules\",\n \"description\": \"Deny CORS rules for storage account for increased data exfiltration protection and endpoint protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/blobServices\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/blobServices/cors.corsRules[*]\"\n },\n \"greater\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/fileServices\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/fileServices/cors.corsRules[*]\"\n },\n \"greater\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/tableServices\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/tableServices/cors.corsRules[*]\"\n },\n \"greater\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/queueServices\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/queueServices/cors.corsRules[*]\"\n },\n \"greater\": 0\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#134": "{\n \"name\": \"Deny-Storage-LocalUser\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Local users should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should disable local users for features like SFTP. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/isLocalUserEnabled\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/isLocalUserEnabled\",\n \"notEquals\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#135": "{\n \"name\": \"Deny-Storage-NetworkAclsBypass\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Network ACL bypass option should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should restrict the bypass option for service-level network ACLs. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"allowedBypassOptions\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Allowed Bypass Options\",\n \"description\": \"Specifies which options are allowed to bypass the vnet configuration\"\n },\n \"allowedValues\": [\n \"None\",\n \"Logging\",\n \"Metrics\",\n \"AzureServices\",\n \"Logging, Metrics\",\n \"Logging, AzureServices\",\n \"Metrics, AzureServices\",\n \"Logging, Metrics, AzureServices\",\n \"Logging, Metrics, AzureServices\"\n ],\n \"defaultValue\": [\n \"Logging\",\n \"Metrics\",\n \"AzureServices\",\n \"Logging, Metrics\",\n \"Logging, AzureServices\",\n \"Metrics, AzureServices\",\n \"Logging, Metrics, AzureServices\",\n \"Logging, Metrics, AzureServices\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.bypass\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.bypass\",\n \"notIn\": \"[[parameters('allowedBypassOptions')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#136": "{\n \"name\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Virtual network rules should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should restrict the virtual network service-level network ACLs. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.virtualNetworkRules[*]\"\n },\n \"greater\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#137": "{\n \"name\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Resource Access Rules resource IDs should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should restrict the resource access rule for service-level network ACLs to services from a specific Azure subscription. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]\"\n },\n \"greater\": 0\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]\",\n \"where\": {\n \"value\": \"[[split(current('Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*].resourceId'), '/')[2]]\",\n \"equals\": \"*\"\n }\n },\n \"greater\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#138": "{\n \"name\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Resource Access Rules Tenants should be restricted for Storage Accounts\",\n \"description\": \"Azure Storage accounts should restrict the resource access rule for service-level network ACLs to service from the same AAD tenant. Enforce this for increased data exfiltration protection.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]\"\n },\n \"greater\": 0\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*].tenantId\",\n \"notEquals\": \"[[subscription().tenantId]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#139": "{\n \"name\": \"Deny-Storage-ServicesEncryption\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Encryption for storage services should be enforced for Storage Accounts\",\n \"description\": \"Azure Storage accounts should enforce encryption for all storage services. Enforce this for increased encryption scope.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.blob.enabled\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.blob.enabled\",\n \"notEquals\": true\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.file.enabled\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.file.enabled\",\n \"notEquals\": true\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.queue.keyType\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.queue.keyType\",\n \"notEquals\": \"Account\"\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.table.keyType\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/encryption.services.table.keyType\",\n \"notEquals\": \"Account\"\n }\n ]\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#14": "{\n \"name\": \"Deny-AppServiceWebApp-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Web Application should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"like\": \"app*\"\n },\n {\n \"field\": \"Microsoft.Web/sites/httpsOnly\",\n \"equals\": \"false\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#140": "{\n \"name\": \"Deploy-LogicApp-TLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Configure Logic apps to use the latest TLS version\",\n \"description\": \"Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Logic Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"field\": \"kind\",\n \"contains\": \"workflowapp\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"web\",\n \"existenceCondition\": {\n \"field\": \"Microsoft.Web/sites/config/minTlsVersion\",\n \"equals\": \"1.2\"\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"siteName\": {\n \"value\": \"[[field('name')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"siteName\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Web/sites/config\",\n \"apiVersion\": \"2021-02-01\",\n \"name\": \"[[concat(parameters('siteName'), '/web')]\",\n \"properties\": {\n \"minTlsVersion\": \"1.2\"\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#141": "{\n \"name\": \"Modify-NSG\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Enforce specific configuration of Network Security Groups (NSG)\",\n \"description\": \"This policy enforces the configuration of Network Security Groups (NSG).\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Modify\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"nsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"nsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"nsgRuleDirection\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Inbound\",\n \"Outbound\"\n ],\n \"defaultValue\": \"Outbound\"\n },\n \"nsgRuleAccess\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Allow\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"nsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"nsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*]\"\n },\n \"equals\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"conflictEffect\": \"audit\",\n \"operations\": [\n {\n \"operation\": \"add\",\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*]\",\n \"value\": {\n \"name\": \"[[parameters('nsgRuleName')]\",\n \"properties\": {\n \"description\": \"[[parameters('nsgRuleDescription')]\",\n \"protocol\": \"[[parameters('nsgRuleProtocol')]\",\n \"sourcePortRange\": \"[[parameters('nsgRuleSourcePortRange')]\",\n \"destinationPortRange\": \"[[parameters('nsgRuleDestinationPortRange')]\",\n \"sourceAddressPrefix\": \"[[parameters('nsgRuleSourceAddressPrefix')]\",\n \"destinationAddressPrefix\": \"[[parameters('nsgRuleDestinationAddressPrefix')]\",\n \"access\": \"[[parameters('nsgRuleAccess')]\",\n \"priority\": \"[[parameters('nsgRulePriority')]\",\n \"direction\": \"[[parameters('nsgRuleDirection')]\"\n }\n }\n }\n ]\n }\n }\n }\n }\n}", + "$fxv#142": "{\n \"name\": \"Modify-UDR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Enforce specific configuration of User-Defined Routes (UDR)\",\n \"description\": \"This policy enforces the configuration of User-Defined Routes (UDR) within a subnet.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Modify\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"addressPrefix\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The destination IP address range in CIDR notation that this Policy checks for within the UDR. Example: 0.0.0.0/0 to check for the presence of a default route.\",\n \"displayName\": \"Address Prefix\"\n }\n },\n \"nextHopType\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The next hope type that the policy checks for within the inspected route. The value can be Virtual Network, Virtual Network Gateway, Internet, Virtual Appliance, or None.\",\n \"displayName\": \"Next Hop Type\"\n },\n \"allowedValues\": [\n \"VnetLocal\",\n \"VirtualNetworkGateway\",\n \"Internet\",\n \"VirtualAppliance\",\n \"None\"\n ]\n },\n \"nextHopIpAddress\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"The IP address packets should be forwarded to.\",\n \"displayName\": \"Next Hop IP Address\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/routeTables\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/routeTables/routes[*]\"\n },\n \"equals\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"conflictEffect\": \"audit\",\n \"operations\": [\n {\n \"operation\": \"add\",\n \"field\": \"Microsoft.Network/routeTables/routes[*]\",\n \"value\": {\n \"name\": \"default\",\n \"properties\": {\n \"addressPrefix\": \"[[parameters('addressPrefix')]\",\n \"nextHopType\": \"[[parameters('nextHopType')]\",\n \"nextHopIpAddress\": \"[[parameters('nextHopIpAddress')]\"\n }\n }\n }\n ]\n }\n }\n }\n }\n}", + "$fxv#143": "{\n \"name\": \"Deploy-Private-DNS-Generic\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy-Private-DNS-Generic\",\n \"description\": \"Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Networking\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \t\"AzureChinaCloud\",\n \t\t\"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone ID for PaaS services\",\n \"description\": \"The private DNS zone name required for specific PaaS Services to resolve a private DNS Zone.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"assignPermissions\": true\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS private endpoint resource type\",\n \"description\": \"The PaaS endpoint resource type.\"\n }\n },\n \"groupId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PaaS Private endpoint group ID (subresource)\",\n \"description\": \"The group ID of the PaaS private endpoint. Also referred to as subresource.\"\n }\n },\n \"evaluationDelay\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Evaluation Delay\",\n \"description\": \"The delay in evaluation of the policy. Review delay options at https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists\"\n },\n \"defaultValue\": \"PT10M\"\n },\n \"location\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Location (Specify the Private Endpoint location)\",\n \"description\": \"Specify the Private Endpoint location\",\n \"strongType\": \"location\"\n },\n \"defaultValue\": \"northeurope\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('location')]\"\n },\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId\",\n \"contains\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"[[parameters('groupId')]\"\n }\n ]\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"evaluationDelay\": \"[[parameters('evaluationDelay')]\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"PaaS-Service-Private-DNS-Zone-Config\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#144": "{\n \"name\": \"DenyAction-DeleteResources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Do not allow deletion of specified resource and resource type\",\n \"description\": \"This policy enables you to specify the resource and resource type that your organization can protect from accidentals deletion by blocking delete calls using the deny action effect.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"General\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Name\",\n \"description\": \"Provide the name of the resource that you want to protect from accidental deletion.\"\n }\n },\n \"resourceType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Type\",\n \"description\": \"Provide the resource type that you want to protect from accidental deletion.\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DenyAction\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DenyAction\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"[[parameters('resourceType')]\"\n },\n {\n \"field\": \"name\",\n \"like\": \"[[parameters('resourceName')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"actionNames\": [\n \"delete\"\n ]\n }\n }\n }\n }\n}\n", + "$fxv#145": "{\n \"name\": \"Audit-MachineLearning-PrivateEndpointId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Control private endpoint connections to Azure Machine Learning\",\n \"description\": \"Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status\",\n \"equals\": \"Approved\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]\",\n \"notEquals\": \"[[subscription().subscriptionId]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#146": "{\n \"name\": \"Deny-AA-child-resources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"No child resources in Automation Account\",\n \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"in\": [\n \"Microsoft.Automation/automationAccounts/runbooks\",\n \"Microsoft.Automation/automationAccounts/variables\",\n \"Microsoft.Automation/automationAccounts/modules\",\n \"Microsoft.Automation/automationAccounts/credentials\",\n \"Microsoft.Automation/automationAccounts/connections\",\n \"Microsoft.Automation/automationAccounts/certificates\"\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#147": "{\n \"name\": \"Deny-Databricks-NoPublicIp\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny public IPs for Databricks cluster\",\n \"description\": \"Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value\",\n \"notEquals\": true\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#148": "{\n \"name\": \"Deny-Databricks-Sku\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny non-premium Databricks sku\",\n \"description\": \"Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/sku.name\",\n \"notEquals\": \"premium\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#149": "{\n \"name\": \"Deny-Databricks-VirtualNetwork\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny Databricks workspaces without Vnet injection\",\n \"description\": \"Enforces the use of vnet injection for Databricks workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Databricks\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value\",\n \"exists\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#15": "{\n \"name\": \"Deny-MySql-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"MySQL database servers enforce SSL connections.\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMySQL/servers\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DBforMySQL/servers/sslEnforcement\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/sslEnforcement\",\n \"notEquals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/minimalTlsVersion\",\n \"less\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#150": "{\n \"name\": \"Deny-MachineLearning-Aks\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny AKS cluster creation in Azure Machine Learning\",\n \"description\": \"Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AKS\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/resourceId\",\n \"exists\": false\n },\n {\n \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]\",\n \"equals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#151": "{\n \"name\": \"Deny-MachineLearning-Compute-SubnetId\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances\",\n \"description\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"in\": [\n \"AmlCompute\",\n \"ComputeInstance\"\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/subnet.id\",\n \"exists\": false\n },\n {\n \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]\",\n \"equals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#152": "{\n \"name\": \"Deny-MachineLearning-Compute-VmSize\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances\",\n \"description\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"allowedVmSizes\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Allowed VM Sizes for Aml Compute Clusters and Instances\",\n \"description\": \"Specifies the allowed VM Sizes for Aml Compute Clusters and Instances\"\n },\n \"defaultValue\": [\n \"Standard_D1_v2\",\n \"Standard_D2_v2\",\n \"Standard_D3_v2\",\n \"Standard_D4_v2\",\n \"Standard_D11_v2\",\n \"Standard_D12_v2\",\n \"Standard_D13_v2\",\n \"Standard_D14_v2\",\n \"Standard_DS1_v2\",\n \"Standard_DS2_v2\",\n \"Standard_DS3_v2\",\n \"Standard_DS4_v2\",\n \"Standard_DS5_v2\",\n \"Standard_DS11_v2\",\n \"Standard_DS12_v2\",\n \"Standard_DS13_v2\",\n \"Standard_DS14_v2\",\n \"Standard_M8-2ms\",\n \"Standard_M8-4ms\",\n \"Standard_M8ms\",\n \"Standard_M16-4ms\",\n \"Standard_M16-8ms\",\n \"Standard_M16ms\",\n \"Standard_M32-8ms\",\n \"Standard_M32-16ms\",\n \"Standard_M32ls\",\n \"Standard_M32ms\",\n \"Standard_M32ts\",\n \"Standard_M64-16ms\",\n \"Standard_M64-32ms\",\n \"Standard_M64ls\",\n \"Standard_M64ms\",\n \"Standard_M64s\",\n \"Standard_M128-32ms\",\n \"Standard_M128-64ms\",\n \"Standard_M128ms\",\n \"Standard_M128s\",\n \"Standard_M64\",\n \"Standard_M64m\",\n \"Standard_M128\",\n \"Standard_M128m\",\n \"Standard_D1\",\n \"Standard_D2\",\n \"Standard_D3\",\n \"Standard_D4\",\n \"Standard_D11\",\n \"Standard_D12\",\n \"Standard_D13\",\n \"Standard_D14\",\n \"Standard_DS15_v2\",\n \"Standard_NV6\",\n \"Standard_NV12\",\n \"Standard_NV24\",\n \"Standard_F2s_v2\",\n \"Standard_F4s_v2\",\n \"Standard_F8s_v2\",\n \"Standard_F16s_v2\",\n \"Standard_F32s_v2\",\n \"Standard_F64s_v2\",\n \"Standard_F72s_v2\",\n \"Standard_NC6s_v3\",\n \"Standard_NC12s_v3\",\n \"Standard_NC24rs_v3\",\n \"Standard_NC24s_v3\",\n \"Standard_NC6\",\n \"Standard_NC12\",\n \"Standard_NC24\",\n \"Standard_NC24r\",\n \"Standard_ND6s\",\n \"Standard_ND12s\",\n \"Standard_ND24rs\",\n \"Standard_ND24s\",\n \"Standard_NC6s_v2\",\n \"Standard_NC12s_v2\",\n \"Standard_NC24rs_v2\",\n \"Standard_NC24s_v2\",\n \"Standard_ND40rs_v2\",\n \"Standard_NV12s_v3\",\n \"Standard_NV24s_v3\",\n \"Standard_NV48s_v3\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"in\": [\n \"AmlCompute\",\n \"ComputeInstance\"\n ]\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/vmSize\",\n \"notIn\": \"[[parameters('allowedVmSizes')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#153": "{\n \"name\": \"Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deny public access of Azure Machine Learning clusters via SSH\",\n \"description\": \"Deny public access of Azure Machine Learning clusters via SSH.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AmlCompute\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#154": "{\n \"name\": \"Deny-MachineLearning-ComputeCluster-Scale\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforce scale settings for Azure Machine Learning compute clusters\",\n \"description\": \"Enforce scale settings for Azure Machine Learning compute clusters.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"maxNodeCount\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Maximum Node Count\",\n \"description\": \"Specifies the maximum node count of AML Clusters\"\n },\n \"defaultValue\": 10\n },\n \"minNodeCount\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Minimum Node Count\",\n \"description\": \"Specifies the minimum node count of AML Clusters\"\n },\n \"defaultValue\": 0\n },\n \"maxNodeIdleTimeInSecondsBeforeScaleDown\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Maximum Node Idle Time in Seconds Before Scaledown\",\n \"description\": \"Specifies the maximum node idle time in seconds before scaledown\"\n },\n \"defaultValue\": 900\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n \"equals\": \"AmlCompute\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount\",\n \"greater\": \"[[parameters('maxNodeCount')]\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount\",\n \"greater\": \"[[parameters('minNodeCount')]\"\n },\n {\n \"value\": \"[[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]\",\n \"greater\": \"[[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#155": "{\n \"name\": \"Deny-MachineLearning-HbiWorkspace\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Enforces high business impact Azure Machine Learning Workspaces\",\n \"description\": \"Enforces high business impact Azure Machine Learning workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n \"notEquals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#156": "{\n \"name\": \"Deny-MachineLearning-PublicAccessWhenBehindVnet\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny public access behind vnet to Azure Machine Learning workspace\",\n \"description\": \"Deny public access behind vnet to Azure Machine Learning workspaces.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n \"exists\": false\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n \"notEquals\": false\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#157": "{\n \"name\": \"Deny-MachineLearning-PublicNetworkAccess\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Azure Machine Learning should have disabled public network access\",\n \"description\": \"Denies public network access for Azure Machine Learning workspaces. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n {\n \"field\": \"Microsoft.MachineLearningServices/workspaces/publicNetworkAccess\",\n \"notEquals\": \"Disabled\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#158": "{\n \"name\": \"Deploy-Budget\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"budgetName\": {\n \"type\": \"String\",\n \"defaultValue\": \"budget-set-by-policy\",\n \"metadata\": {\n \"description\": \"The name for the budget to be created\"\n }\n },\n \"amount\": {\n \"type\": \"String\",\n \"defaultValue\": \"1000\",\n \"metadata\": {\n \"description\": \"The total amount of cost or usage to track with the budget\"\n }\n },\n \"timeGrain\": {\n \"type\": \"String\",\n \"defaultValue\": \"Monthly\",\n \"allowedValues\": [\n \"Monthly\",\n \"Quarterly\",\n \"Annually\",\n \"BillingMonth\",\n \"BillingQuarter\",\n \"BillingAnnual\"\n ],\n \"metadata\": {\n \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n }\n },\n \"firstThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"90\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"secondThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"100\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"contactRoles\": {\n \"type\": \"Array\",\n \"defaultValue\": [\n \"Owner\",\n \"Contributor\"\n ],\n \"metadata\": {\n \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactEmails\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactGroups\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Consumption/budgets/amount\",\n \"equals\": \"[[parameters('amount')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n \"equals\": \"[[parameters('timeGrain')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/category\",\n \"equals\": \"Cost\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"budgetName\": {\n \"value\": \"[[parameters('budgetName')]\"\n },\n \"amount\": {\n \"value\": \"[[parameters('amount')]\"\n },\n \"timeGrain\": {\n \"value\": \"[[parameters('timeGrain')]\"\n },\n \"firstThreshold\": {\n \"value\": \"[[parameters('firstThreshold')]\"\n },\n \"secondThreshold\": {\n \"value\": \"[[parameters('secondThreshold')]\"\n },\n \"contactEmails\": {\n \"value\": \"[[parameters('contactEmails')]\"\n },\n \"contactRoles\": {\n \"value\": \"[[parameters('contactRoles')]\"\n },\n \"contactGroups\": {\n \"value\": \"[[parameters('contactGroups')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"budgetName\": {\n \"type\": \"String\"\n },\n \"amount\": {\n \"type\": \"String\"\n },\n \"timeGrain\": {\n \"type\": \"String\"\n },\n \"firstThreshold\": {\n \"type\": \"String\"\n },\n \"secondThreshold\": {\n \"type\": \"String\"\n },\n \"contactEmails\": {\n \"type\": \"Array\"\n },\n \"contactRoles\": {\n \"type\": \"Array\"\n },\n \"contactGroups\": {\n \"type\": \"Array\"\n },\n \"startDate\": {\n \"type\": \"String\",\n \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"[[parameters('budgetName')]\",\n \"properties\": {\n \"timePeriod\": {\n \"startDate\": \"[[parameters('startDate')]\"\n },\n \"timeGrain\": \"[[parameters('timeGrain')]\",\n \"amount\": \"[[parameters('amount')]\",\n \"category\": \"Cost\",\n \"notifications\": {\n \"NotificationForExceededBudget1\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('firstThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n },\n \"NotificationForExceededBudget2\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('secondThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n }\n }\n }\n }\n ]\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#159": "{\n \"name\": \"Deploy-Diagnostics-AVDScalingPlans\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DesktopVirtualization/scalingplans\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DesktopVirtualization/scalingplans/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Autoscale\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#16": "{\n \"name\": \"Deny-PostgreSql-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"PostgreSQL database servers enforce SSL connection.\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version minimum TLS for PostgreSQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for PostgreSQL server to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"notEquals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\n \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#160": "{\n \"name\": \"Deny-AFSPaasPublicIP\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Public network access should be disabled for Azure File Sync\",\n \"description\": \"Disabling the public endpoint allows you to restrict access to your Storage Sync Service resource to requests destined to approved private endpoints on your organization's network. There is nothing inherently insecure about allowing requests to the public endpoint, however, you may wish to disable it to meet regulatory, legal, or organizational policy requirements. You can disable the public endpoint for a Storage Sync Service by setting the incomingTrafficPolicy of the resource to AllowVirtualNetworksOnly.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.StorageSync/storageSyncServices\"\n },\n {\n \"field\": \"Microsoft.StorageSync/storageSyncServices/incomingTrafficPolicy\",\n \"notEquals\": \"AllowVirtualNetworksOnly\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#161": "{\n \"name\": \"Deny-KeyVaultPaasPublicIP\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Preview: Azure Key Vault should disable public network access\",\n \"description\": \"Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink.\",\n \"metadata\": {\n \"version\": \"2.0.0-preview\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"preview\": true,\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.KeyVault/vaults\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.KeyVault/vaults/createMode\",\n \"equals\": \"recover\"\n }\n },\n {\n \"field\": \"Microsoft.KeyVault/vaults/networkAcls.defaultAction\",\n \"notEquals\": \"Deny\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#162": "{\n \"name\": \"Deploy-ActivityLogs-to-LA-workspace\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Configure Azure Activity logs to stream to specified Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\",\n \"assignPermissions\": true\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n },\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"defaultValue\": \"True\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"chinaeast2\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"string\"\n },\n \"logsEnabled\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"subscriptionToLa\",\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"location\": \"Global\",\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Administrative\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Security\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ServiceHealth\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Alert\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Recommendation\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Policy\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Autoscale\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ResourceHealth\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ]\n }\n }\n }\n }\n}\n", + "$fxv#163": "{\n \"name\": \"Deploy-Default-Udr\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy a user-defined route to a VNET with specific routes.\",\n \"description\": \"Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"defaultRoute\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Default route to add into UDR\",\n \"description\": \"Policy will deploy a default route table to a vnet\"\n }\n },\n \"vnetRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"VNet Region\",\n \"description\": \"Regional VNet hub location\",\n \"strongType\": \"location\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks\"\n },\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('vnetRegion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/routeTables\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/routeTables/routes[*].nextHopIpAddress\",\n \"equals\": \"[[parameters('defaultRoute')]\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"udrName\": {\n \"value\": \"[[concat(field('name'),'-udr')]\"\n },\n \"udrLocation\": {\n \"value\": \"[[field('location')]\"\n },\n \"defaultRoute\": {\n \"value\": \"[[parameters('defaultRoute')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"udrName\": {\n \"type\": \"string\"\n },\n \"udrLocation\": {\n \"type\": \"string\"\n },\n \"defaultRoute\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/routeTables\",\n \"name\": \"[[parameters('udrName')]\",\n \"apiVersion\": \"2020-08-01\",\n \"location\": \"[[parameters('udrLocation')]\",\n \"properties\": {\n \"routes\": [\n {\n \"name\": \"AzureFirewallRoute\",\n \"properties\": {\n \"addressPrefix\": \"0.0.0.0/0\",\n \"nextHopType\": \"VirtualAppliance\",\n \"nextHopIpAddress\": \"[[parameters('defaultRoute')]\"\n }\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#164": "{\n \"name\": \"Deploy-MySQLCMKEffect\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"MySQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\n \"metadata\": {\n \"version\": \"1.0.4\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMySQL/servers\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.DBforMySQL/servers/keys\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.DBforMySQL/servers/keys/serverKeyType\",\n \"equals\": \"AzureKeyVault\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/keys/uri\",\n \"notEquals\": \"\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/keys/uri\",\n \"exists\": \"true\"\n }\n ]\n }\n }\n }\n }\n }\n}\n", + "$fxv#165": "{\n \"name\": \"Deploy-PostgreSQLCMKEffect\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"PostgreSQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\n \"metadata\": {\n \"version\": \"1.0.4\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.DBforPostgreSQL/servers/keys\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/serverKeyType\",\n \"equals\": \"AzureKeyVault\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/uri\",\n \"notEquals\": \"\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/uri\",\n \"exists\": \"true\"\n }\n ]\n }\n }\n }\n }\n }\n}\n", + "$fxv#166": "{\n \"name\": \"Deploy-Private-DNS-Azure-File-Sync\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Configure Azure File Sync to use private DNS zones\",\n \"description\": \"To access the private endpoint(s) for Storage Sync Service resource interfaces from a registered server, you need to configure your DNS to resolve the correct names to your private endpoint's private IP addresses. This policy creates the requisite Azure Private DNS Zone and A records for the interfaces of your Storage Sync Service private endpoint(s).\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"privateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"where\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"afs\"\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f\",\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"privatelink-afs\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#167": "{\n \"name\": \"Deploy-Private-DNS-Azure-KeyVault\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Preview: Configure Azure Key Vaults to use private DNS zones\",\n \"description\": \"Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink.\",\n \"metadata\": {\n \"version\": \"1.0.0-preview\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"preview\": true,\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone ID\",\n \"description\": \"A private DNS zone ID to connect to the private endpoint.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"assignPermissions\": true\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"where\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"vault\"\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"keyvault-privateDnsZone\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#168": "{\n \"name\": \"Deploy-Private-DNS-Azure-Web\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Configure Azure Web PubSub Service to use private DNS zones\",\n \"description\": \"Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Web PubSub service. Learn more at: https://aka.ms/awps/privatelink.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Web PubSub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Private DNS Zone Id\",\n \"description\": \"Private DNS zone to integrate with private endpoint.\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateEndpoints\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"where\": {\n \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n \"equals\": \"webpubsub\"\n }\n },\n \"greaterOrEquals\": 1\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"type\": \"string\"\n },\n \"privateEndpointName\": {\n \"type\": \"string\"\n },\n \"location\": {\n \"type\": \"string\"\n }\n },\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n \"apiVersion\": \"2020-03-01\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"privateDnsZoneConfigs\": [\n {\n \"name\": \"privatelink-webpubsub-azure-com\",\n \"properties\": {\n \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n }\n }\n ]\n }\n }\n ]\n },\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('privateDnsZoneId')]\"\n },\n \"privateEndpointName\": {\n \"value\": \"[[field('name')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#169": "{\n \"name\": \"Deny-AA-child-resources\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"No child resources in Automation Account\",\n \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"in\": [\n \"Microsoft.Automation/automationAccounts/runbooks\",\n \"Microsoft.Automation/automationAccounts/variables\",\n \"Microsoft.Automation/automationAccounts/modules\",\n \"Microsoft.Automation/automationAccounts/credentials\",\n \"Microsoft.Automation/automationAccounts/connections\",\n \"Microsoft.Automation/automationAccounts/certificates\"\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#17": "{\n \"name\": \"Deny-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deny the creation of private DNS\",\n \"description\": \"This policy denies the creation of a private DNS in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/privateDnsZones\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#170": "{\n \"name\": \"Deploy-Budget\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Budget\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"budgetName\": {\n \"type\": \"String\",\n \"defaultValue\": \"budget-set-by-policy\",\n \"metadata\": {\n \"description\": \"The name for the budget to be created\"\n }\n },\n \"amount\": {\n \"type\": \"String\",\n \"defaultValue\": \"1000\",\n \"metadata\": {\n \"description\": \"The total amount of cost or usage to track with the budget\"\n }\n },\n \"timeGrain\": {\n \"type\": \"String\",\n \"defaultValue\": \"Monthly\",\n \"allowedValues\": [\n \"Monthly\",\n \"Quarterly\",\n \"Annually\",\n \"BillingMonth\",\n \"BillingQuarter\",\n \"BillingAnnual\"\n ],\n \"metadata\": {\n \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n }\n },\n \"firstThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"90\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"secondThreshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"100\",\n \"metadata\": {\n \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n }\n },\n \"contactRoles\": {\n \"type\": \"Array\",\n \"defaultValue\": [\n \"Owner\",\n \"Contributor\"\n ],\n \"metadata\": {\n \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactEmails\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n }\n },\n \"contactGroups\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Consumption/budgets/amount\",\n \"equals\": \"[[parameters('amount')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n \"equals\": \"[[parameters('timeGrain')]\"\n },\n {\n \"field\": \"Microsoft.Consumption/budgets/category\",\n \"equals\": \"Cost\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"budgetName\": {\n \"value\": \"[[parameters('budgetName')]\"\n },\n \"amount\": {\n \"value\": \"[[parameters('amount')]\"\n },\n \"timeGrain\": {\n \"value\": \"[[parameters('timeGrain')]\"\n },\n \"firstThreshold\": {\n \"value\": \"[[parameters('firstThreshold')]\"\n },\n \"secondThreshold\": {\n \"value\": \"[[parameters('secondThreshold')]\"\n },\n \"contactEmails\": {\n \"value\": \"[[parameters('contactEmails')]\"\n },\n \"contactRoles\": {\n \"value\": \"[[parameters('contactRoles')]\"\n },\n \"contactGroups\": {\n \"value\": \"[[parameters('contactGroups')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"budgetName\": {\n \"type\": \"String\"\n },\n \"amount\": {\n \"type\": \"String\"\n },\n \"timeGrain\": {\n \"type\": \"String\"\n },\n \"firstThreshold\": {\n \"type\": \"String\"\n },\n \"secondThreshold\": {\n \"type\": \"String\"\n },\n \"contactEmails\": {\n \"type\": \"Array\"\n },\n \"contactRoles\": {\n \"type\": \"Array\"\n },\n \"contactGroups\": {\n \"type\": \"Array\"\n },\n \"startDate\": {\n \"type\": \"String\",\n \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Consumption/budgets\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"[[parameters('budgetName')]\",\n \"properties\": {\n \"timePeriod\": {\n \"startDate\": \"[[parameters('startDate')]\"\n },\n \"timeGrain\": \"[[parameters('timeGrain')]\",\n \"amount\": \"[[parameters('amount')]\",\n \"category\": \"Cost\",\n \"notifications\": {\n \"NotificationForExceededBudget1\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('firstThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n },\n \"NotificationForExceededBudget2\": {\n \"enabled\": true,\n \"operator\": \"GreaterThan\",\n \"threshold\": \"[[parameters('secondThreshold')]\",\n \"contactEmails\": \"[[parameters('contactEmails')]\",\n \"contactRoles\": \"[[parameters('contactRoles')]\",\n \"contactGroups\": \"[[parameters('contactGroups')]\"\n }\n }\n }\n }\n ]\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#171": "{\n \"name\": \"Deploy-Default-Udr\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy a user-defined route to a VNET with specific routes.\",\n \"description\": \"Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"defaultRoute\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Default route to add into UDR\",\n \"description\": \"Policy will deploy a default route table to a vnet\"\n }\n },\n \"vnetRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"VNet Region\",\n \"description\": \"Regional VNet hub location\",\n \"strongType\": \"location\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks\"\n },\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('vnetRegion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/routeTables\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/routeTables/routes[*].nextHopIpAddress\",\n \"equals\": \"[[parameters('defaultRoute')]\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"udrName\": {\n \"value\": \"[[concat(field('name'),'-udr')]\"\n },\n \"udrLocation\": {\n \"value\": \"[[field('location')]\"\n },\n \"defaultRoute\": {\n \"value\": \"[[parameters('defaultRoute')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"udrName\": {\n \"type\": \"string\"\n },\n \"udrLocation\": {\n \"type\": \"string\"\n },\n \"defaultRoute\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/routeTables\",\n \"name\": \"[[parameters('udrName')]\",\n \"apiVersion\": \"2020-08-01\",\n \"location\": \"[[parameters('udrLocation')]\",\n \"properties\": {\n \"routes\": [\n {\n \"name\": \"AzureFirewallRoute\",\n \"properties\": {\n \"addressPrefix\": \"0.0.0.0/0\",\n \"nextHopType\": \"VirtualAppliance\",\n \"nextHopIpAddress\": \"[[parameters('defaultRoute')]\"\n }\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#18": "{\n \"name\": \"Deny-PublicEndpoint-MariaDB\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Public network access should be disabled for MariaDB\",\n \"description\": \"This policy denies the creation of Maria DB accounts with exposed public endpoints. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/fdccbe47-f3e3-4213-ad5d-ea459b2fa077.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMariaDB/servers\"\n },\n {\n \"field\": \"Microsoft.DBforMariaDB/servers/publicNetworkAccess\",\n \"notequals\": \"Disabled\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#19": "{\n \"name\": \"Deny-PublicIP\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Deny the creation of public IP\",\n \"description\": \"[Deprecated] This policy denies creation of Public IPs under the assigned scope. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/6c112d4e-5bc7-47ae-a041-ea2d9dccd749.html using appropriate assignment parameters.\",\n \"metadata\": {\n \"deprecated\": true,\n \"supersededBy\": \"6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/publicIPAddresses\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", "$fxv#2": "{\n \"name\": \"Append-KV-SoftDelete\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"KeyVault SoftDelete should be enabled\",\n \"description\": \"This policy enables you to ensure when a Key Vault is created with out soft delete enabled it will be added.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.KeyVault/vaults\"\n },\n {\n \"field\": \"Microsoft.KeyVault/vaults/enableSoftDelete\",\n \"notEquals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"append\",\n \"details\": [\n {\n \"field\": \"Microsoft.KeyVault/vaults/enableSoftDelete\",\n \"value\": true\n }\n ]\n }\n }\n }\n}\n", - "$fxv#20": "{\n \"name\": \"Deny-Redis-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Azure Cache for Redis only secure connections should be enabled\",\n \"description\": \"Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Cache\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n },\n \"minimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select minimum TLS version for Azure Cache for Redis.\",\n \"description\": \"Select minimum TLS version for Azure Cache for Redis.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Cache/redis\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Cache/Redis/enableNonSslPort\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Cache/Redis/minimumTlsVersion\",\n \"less\": \"[[parameters('minimumTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#21": "{\n \"name\": \"Deny-Sql-minTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Azure SQL Database should have the minimal TLS version set to the highest version\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version for SQL server\",\n \"description\": \"Select version minimum TLS version SQL servers to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Sql/servers/minimalTlsVersion\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Sql/servers/minimalTlsVersion\",\n \"less\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#22": "{\n \"name\": \"Deny-SqlMi-minTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version set to the highest version\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version for SQL server\",\n \"description\": \"Select version minimum TLS version SQL servers to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/managedInstances\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Sql/managedInstances/minimalTlsVersion\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Sql/managedInstances/minimalTlsVersion\",\n \"less\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#23": "{\n \"name\": \"Deny-Storage-minTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"[Deprecated] Storage Account set to minimum TLS and Secure transfer should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/fe83a0eb-a853-422d-aac2-1bffd182c5d0.html and https://www.azadvertizer.net/azpolicyadvertizer/404c3081-a854-4457-ae30-26a93ef643f9.html\",\n \"metadata\": {\n \"deprecated\": true,\n \"supersededBy\": \"fe83a0eb-a853-422d-aac2-1bffd182c5d0,404c3081-a854-4457-ae30-26a93ef643f9\",\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n },\n \"minimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"value\": \"[[requestContext().apiVersion]\",\n \"less\": \"2019-04-01\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\",\n \"exists\": \"false\"\n }\n ]\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\",\n \"equals\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\n \"notequals\": \"[[parameters('minimumTlsVersion')]\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\n \"exists\": \"false\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#24": "{\n \"name\": \"Deny-Storage-SFTP\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Storage Accounts with SFTP enabled should be denied\",\n \"description\": \"This policy denies the creation of Storage Accounts with SFTP enabled for Blob Storage.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/isSftpEnabled\",\n \"equals\": \"true\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#25": "{\n \"name\": \"Deny-Subnet-Without-Nsg\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Subnets should have a Network Security Group\",\n \"description\": \"This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"excludedSubnets\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Excluded Subnets\",\n \"description\": \"Array of subnet names that are excluded from this policy\"\n },\n \"defaultValue\": [\n \"GatewaySubnet\",\n \"AzureFirewallSubnet\",\n \"AzureFirewallManagementSubnet\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"equals\": \"Microsoft.Network/virtualNetworks\",\n \"field\": \"type\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"exists\": \"false\",\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*].networkSecurityGroup.id\"\n },\n {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*].name\",\n \"notIn\": \"[[parameters('excludedSubnets')]\"\n }\n ]\n }\n },\n \"notEquals\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks/subnets\"\n },\n {\n \"field\": \"name\",\n \"notIn\": \"[[parameters('excludedSubnets')]\"\n },\n {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id\",\n \"exists\": \"false\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#26": "{\n \"name\": \"Deny-Subnet-Without-Penp\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Subnets without Private Endpoint Network Policies enabled should be denied\",\n \"description\": \"This policy denies the creation of a subnet without Private Endpoint Netwotk Policies enabled. This policy is intended for 'workload' subnets, not 'central infrastructure' (aka, 'hub') subnets.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n },\n \"excludedSubnets\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Excluded Subnets\",\n \"description\": \"Array of subnet names that are excluded from this policy\"\n },\n \"defaultValue\": [\n \"GatewaySubnet\",\n \"AzureFirewallSubnet\",\n \"AzureFirewallManagementSubnet\",\n \"AzureBastionSubnet\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"equals\": \"Microsoft.Network/virtualNetworks\",\n \"field\": \"type\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*].privateEndpointNetworkPolicies\",\n \"notEquals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*].name\",\n \"notIn\": \"[[parameters('excludedSubnets')]\"\n }\n ]\n }\n },\n \"notEquals\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks/subnets\"\n },\n {\n \"field\": \"name\",\n \"notIn\": \"[[parameters('excludedSubnets')]\"\n },\n {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets/privateEndpointNetworkPolicies\",\n \"notEquals\": \"Enabled\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#27": "{\n \"name\": \"Deny-Subnet-Without-Udr\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Subnets should have a User Defined Route\",\n \"description\": \"This policy denies the creation of a subnet without a User Defined Route (UDR).\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"excludedSubnets\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Excluded Subnets\",\n \"description\": \"Array of subnet names that are excluded from this policy\"\n },\n \"defaultValue\": [\n \"AzureBastionSubnet\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"equals\": \"Microsoft.Network/virtualNetworks\",\n \"field\": \"type\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"exists\": \"false\",\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*].routeTable.id\"\n },\n {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*].name\",\n \"notIn\": \"[[parameters('excludedSubnets')]\"\n }\n ]\n }\n },\n \"notEquals\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks/subnets\"\n },\n {\n \"field\": \"name\",\n \"notIn\": \"[[parameters('excludedSubnets')]\"\n },\n {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets/routeTable.id\",\n \"exists\": \"false\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#28": "{\n \"name\": \"Deny-UDR-With-Specific-NextHop\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"User Defined Routes with 'Next Hop Type' set to 'Internet' or 'VirtualNetworkGateway' should be denied\",\n \"description\": \"This policy denies the creation of a User Defined Route with 'Next Hop Type' set to 'Internet' or 'VirtualNetworkGateway'.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"excludedDestinations\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Excluded Destinations\",\n \"description\": \"Array of route destinations that are to be denied\"\n },\n \"defaultValue\": [\n \"Internet\", \n \"VirtualNetworkGateway\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"equals\": \"Microsoft.Network/routeTables\",\n \"field\": \"type\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/routeTables/routes[*]\",\n \"where\": {\n \"field\": \"Microsoft.Network/routeTables/routes[*].nextHopType\",\n \"in\": \"[[parameters('excludedDestinations')]\"\n }\n },\n \"notEquals\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/routeTables/routes\"\n },\n {\n \"field\": \"Microsoft.Network/routeTables/routes/nextHopType\",\n \"in\": \"[[parameters('excludedDestinations')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#29": "{\n \"name\": \"Deny-VNET-Peer-Cross-Sub\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deny vNet peering cross subscription.\",\n \"description\": \"This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"allowedVnets\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Allowed vNets to peer with\",\n \"description\": \"Array of allowed vNets that can be peered with. Must be entered using their resource ID. Example: /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}\"\n },\n \"defaultValue\": []\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\"\n },\n {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id\",\n \"notIn\": \"[[parameters('allowedVnets')]\"\n },\n {\n \"field\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id\",\n \"notLike\": \"[[concat(subscription().id, '/*')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#20": "{\n \"name\": \"Deny-RDP-From-Internet\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"[Deprecated] RDP access from the Internet should be blocked\",\n \"description\": \"This policy denies any network security rule that allows RDP access from Internet. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html\",\n \"metadata\": {\n \"deprecated\": true,\n \"supersededBy\": \"Deny-MgmtPorts-From-Internet\",\n \"version\": \"1.0.1-deprecated\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups/securityRules\"\n },\n {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/access\",\n \"equals\": \"Allow\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/direction\",\n \"equals\": \"Inbound\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n \"equals\": \"*\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n \"equals\": \"3389\"\n },\n {\n \"value\": \"[[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389)), 'false')]\",\n \"equals\": \"true\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n \"where\": {\n \"value\": \"[[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389)) , 'false')]\",\n \"equals\": \"true\"\n }\n },\n \"greater\": 0\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n \"notEquals\": \"*\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n \"notEquals\": \"3389\"\n }\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n \"equals\": \"*\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n \"equals\": \"Internet\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n \"notEquals\": \"*\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n \"notEquals\": \"Internet\"\n }\n }\n ]\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#21": "{\n \"name\": \"Deny-MgmtPorts-From-Internet\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Management port access from the Internet should be blocked\",\n \"description\": \"This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports.\",\n \"metadata\": {\n \"version\": \"2.1.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deny-RDP-From-Internet\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ports\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups/securityRules\"\n },\n {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/access\",\n \"equals\": \"Allow\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/direction\",\n \"equals\": \"Inbound\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n \"equals\": \"*\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n \"in\": \"[[parameters('ports')]\"\n },\n {\n \"count\": {\n \"value\": \"[[parameters('ports')]\",\n \"where\": {\n \"value\": \"[[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current())),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current()))), 'false')]\",\n \"equals\": \"true\"\n }\n },\n \"greater\": 0\n },\n {\n \"count\": {\n \"value\": \"[[parameters('ports')]\",\n \"name\": \"ports\",\n \"where\": {\n \"count\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n \"where\": {\n \"value\": \"[[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'), '-'))),int(current('ports')))) , 'false')]\",\n \"equals\": \"true\"\n }\n },\n \"greater\": 0\n }\n },\n \"greater\": 0\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n \"notEquals\": \"*\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n \"notIn\": \"[[parameters('ports')]\"\n }\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n \"equals\": \"*\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n \"equals\": \"Internet\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n \"notEquals\": \"*\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n \"notEquals\": \"Internet\"\n }\n }\n ]\n }\n ]\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].access\",\n \"equals\": \"Allow\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].direction\",\n \"equals\": \"Inbound\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange\",\n \"equals\": \"*\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange\",\n \"in\": \"[[parameters('ports')]\"\n },\n {\n \"count\": {\n \"value\": \"[[parameters('ports')]\",\n \"name\": \"ports\",\n \"where\": {\n \"value\": \"[[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'), '-'))),int(current('ports')))), 'false')]\",\n \"equals\": \"true\"\n }\n },\n \"greater\": 0\n },\n {\n \"count\": {\n \"value\": \"[[parameters('ports')]\",\n \"name\": \"ports\",\n \"where\": {\n \"count\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]\",\n \"where\": {\n \"value\": \"[[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'), '-'))),int(current('ports')))) , 'false')]\",\n \"equals\": \"true\"\n }\n },\n \"greater\": 0\n }\n },\n \"greater\": 0\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]\",\n \"notEquals\": \"*\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]\",\n \"notIn\": \"[[parameters('ports')]\"\n }\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix\",\n \"equals\": \"*\"\n },\n {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix\",\n \"equals\": \"Internet\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]\",\n \"notEquals\": \"*\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]\",\n \"notEquals\": \"Internet\"\n }\n }\n ]\n }\n ]\n }\n },\n \"greater\": 0\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#22": "{\n \"name\": \"Deny-Redis-http\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Azure Cache for Redis only secure connections should be enabled\",\n \"description\": \"Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Cache\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n },\n \"minimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select minimum TLS version for Azure Cache for Redis.\",\n \"description\": \"Select minimum TLS version for Azure Cache for Redis.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Cache/redis\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Cache/Redis/enableNonSslPort\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Cache/Redis/minimumTlsVersion\",\n \"less\": \"[[parameters('minimumTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#23": "{\n \"name\": \"Deny-Sql-minTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Azure SQL Database should have the minimal TLS version set to the highest version\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version for SQL server\",\n \"description\": \"Select version minimum TLS version SQL servers to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Sql/servers/minimalTlsVersion\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Sql/servers/minimalTlsVersion\",\n \"less\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#24": "{\n \"name\": \"Deny-SqlMi-minTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version set to the highest version\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version for SQL server\",\n \"description\": \"Select version minimum TLS version SQL servers to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/managedInstances\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Sql/managedInstances/minimalTlsVersion\",\n \"exists\": \"false\"\n },\n {\n \"field\": \"Microsoft.Sql/managedInstances/minimalTlsVersion\",\n \"less\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#25": "{\n \"name\": \"Deny-Storage-minTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"[Deprecated] Storage Account set to minimum TLS and Secure transfer should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/fe83a0eb-a853-422d-aac2-1bffd182c5d0.html and https://www.azadvertizer.net/azpolicyadvertizer/404c3081-a854-4457-ae30-26a93ef643f9.html\",\n \"metadata\": {\n \"deprecated\": true,\n \"supersededBy\": \"fe83a0eb-a853-422d-aac2-1bffd182c5d0,404c3081-a854-4457-ae30-26a93ef643f9\",\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n },\n \"minimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"value\": \"[[requestContext().apiVersion]\",\n \"less\": \"2019-04-01\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\",\n \"exists\": \"false\"\n }\n ]\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\",\n \"equals\": \"false\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\n \"notequals\": \"[[parameters('minimumTlsVersion')]\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\n \"exists\": \"false\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#26": "{\n \"name\": \"Deny-Storage-SFTP\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Storage Accounts with SFTP enabled should be denied\",\n \"description\": \"This policy denies the creation of Storage Accounts with SFTP enabled for Blob Storage.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/isSftpEnabled\",\n \"equals\": \"true\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#27": "{\n \"name\": \"Deny-Subnet-Without-Nsg\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Subnets should have a Network Security Group\",\n \"description\": \"This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"excludedSubnets\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Excluded Subnets\",\n \"description\": \"Array of subnet names that are excluded from this policy\"\n },\n \"defaultValue\": [\n \"GatewaySubnet\",\n \"AzureFirewallSubnet\",\n \"AzureFirewallManagementSubnet\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"equals\": \"Microsoft.Network/virtualNetworks\",\n \"field\": \"type\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"exists\": \"false\",\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*].networkSecurityGroup.id\"\n },\n {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*].name\",\n \"notIn\": \"[[parameters('excludedSubnets')]\"\n }\n ]\n }\n },\n \"notEquals\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks/subnets\"\n },\n {\n \"field\": \"name\",\n \"notIn\": \"[[parameters('excludedSubnets')]\"\n },\n {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id\",\n \"exists\": \"false\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#28": "{\n \"name\": \"Deny-Subnet-Without-Penp\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Subnets without Private Endpoint Network Policies enabled should be denied\",\n \"description\": \"This policy denies the creation of a subnet without Private Endpoint Netwotk Policies enabled. This policy is intended for 'workload' subnets, not 'central infrastructure' (aka, 'hub') subnets.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n },\n \"excludedSubnets\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Excluded Subnets\",\n \"description\": \"Array of subnet names that are excluded from this policy\"\n },\n \"defaultValue\": [\n \"GatewaySubnet\",\n \"AzureFirewallSubnet\",\n \"AzureFirewallManagementSubnet\",\n \"AzureBastionSubnet\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"equals\": \"Microsoft.Network/virtualNetworks\",\n \"field\": \"type\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*].privateEndpointNetworkPolicies\",\n \"notEquals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*].name\",\n \"notIn\": \"[[parameters('excludedSubnets')]\"\n }\n ]\n }\n },\n \"notEquals\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks/subnets\"\n },\n {\n \"field\": \"name\",\n \"notIn\": \"[[parameters('excludedSubnets')]\"\n },\n {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets/privateEndpointNetworkPolicies\",\n \"notEquals\": \"Enabled\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#29": "{\n \"name\": \"Deny-Subnet-Without-Udr\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Subnets should have a User Defined Route\",\n \"description\": \"This policy denies the creation of a subnet without a User Defined Route (UDR).\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"excludedSubnets\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Excluded Subnets\",\n \"description\": \"Array of subnet names that are excluded from this policy\"\n },\n \"defaultValue\": [\n \"AzureBastionSubnet\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"equals\": \"Microsoft.Network/virtualNetworks\",\n \"field\": \"type\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*]\",\n \"where\": {\n \"allOf\": [\n {\n \"exists\": \"false\",\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*].routeTable.id\"\n },\n {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets[*].name\",\n \"notIn\": \"[[parameters('excludedSubnets')]\"\n }\n ]\n }\n },\n \"notEquals\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks/subnets\"\n },\n {\n \"field\": \"name\",\n \"notIn\": \"[[parameters('excludedSubnets')]\"\n },\n {\n \"field\": \"Microsoft.Network/virtualNetworks/subnets/routeTable.id\",\n \"exists\": \"false\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", "$fxv#3": "{\n \"name\": \"Append-Redis-disableNonSslPort\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled.\",\n \"description\": \"Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Cache\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect Azure Cache for Redis\",\n \"description\": \"Enable or disable the execution of the policy minimum TLS version Azure Cache for Redis\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Cache/redis\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Cache/Redis/enableNonSslPort\",\n \"equals\": \"true\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": [\n {\n \"field\": \"Microsoft.Cache/Redis/enableNonSslPort\",\n \"value\": false\n }\n ]\n }\n }\n }\n}\n", - "$fxv#30": "{\n \"name\": \"Deny-VNET-Peering-To-Non-Approved-VNETs\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deny vNet peering to non-approved vNets\",\n \"description\": \"This policy denies the creation of vNet Peerings to non-approved vNets under the assigned scope.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"allowedVnets\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Allowed vNets to peer with\",\n \"description\": \"Array of allowed vNets that can be peered with. Must be entered using their resource ID. Example: /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}\"\n },\n \"defaultValue\": []\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id\",\n \"in\": \"[[parameters('allowedVnets')]\"\n }\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings[*].remoteVirtualNetwork.id\",\n \"in\": \"[[parameters('allowedVnets')]\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings[*].remoteVirtualNetwork.id\",\n \"exists\": false\n }\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#31": "{\n \"name\": \"Deny-VNet-Peering\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deny vNet peering \",\n \"description\": \"This policy denies the creation of vNet Peerings under the assigned scope.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#32": "{\n \"name\": \"Deny-StorageAccount-CustomDomain\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Storage Accounts with custom domains assigned should be denied\",\n \"description\": \"This policy denies the creation of Storage Accounts with custom domains assigned as communication cannot be encrypted, and always uses HTTP.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/customDomain\",\n \"exists\": \"true\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/customDomain.useSubDomainName\",\n \"equals\": \"true\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n }", - "$fxv#33": "{\n \"name\": \"Deny-FileServices-InsecureKerberos\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"File Services with insecure Kerberos ticket encryption should be denied\",\n \"description\": \"This policy denies the use of insecure Kerberos ticket encryption (RC4-HMAC) when using File Services on a storage account.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n },\n \"notAllowedKerberosTicketEncryption\": {\n \"type\": \"String\",\n \"defaultValue\": \"RC4-HMAC\",\n \"allowedValues\": [\n \"RC4-HMAC\",\n \"AES-256\"\n ],\n \"metadata\": {\n \"displayName\": \"Kerberos ticket encryption supported by server. Valid values are RC4-HMAC, AES-256.\",\n \"description\": \"The list of kerberosTicketEncryption not allowed.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/fileServices\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/fileServices/protocolSettings.smb.kerberosTicketEncryption\",\n \"contains\": \"[[parameters('notAllowedKerberosTicketEncryption')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n }", - "$fxv#34": "{\n \"name\": \"Deny-FileServices-InsecureSmbChannel\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"File Services with insecure SMB channel encryption should be denied\",\n \"description\": \"This policy denies the use of insecure channel encryption (AES-128-CCM) when using File Services on a storage account.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n },\n \"notAllowedChannelEncryption\": {\n \"type\": \"String\",\n \"defaultValue\": \"AES-128-CCM\",\n \"allowedValues\": [\n \"AES-128-CCM\",\n \"AES-128-GCM\",\n \"AES-256-GCM\"\n ],\n \"metadata\": {\n \"displayName\": \"SMB channel encryption supported by server. Valid values are AES-128-CCM, AES-128-GCM, AES-256-GCM.\",\n \"description\": \"The list of channelEncryption not allowed.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/fileServices\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/fileServices/protocolSettings.smb.channelEncryption\",\n \"contains\": \"[[parameters('notAllowedChannelEncryption')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n }", - "$fxv#35": "{\n \"name\": \"Deny-FileServices-InsecureSmbVersions\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"File Services with insecure SMB versions should be denied\",\n \"description\": \"This policy denies the use of insecure versions of SMB (2.1 & 3.0) when using File Services on a storage account.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n },\n \"allowedSmbVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"SMB3.1.1\",\n \"allowedValues\": [\n \"SMB2.1\",\n \"SMB3.0\",\n \"SMB3.1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Allowed SMB Version\",\n \"description\": \"The allowed SMB version for maximum security\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/fileServices\"\n },\n {\n \"not\":\n {\n \"field\": \"Microsoft.Storage/storageAccounts/fileServices/protocolSettings.smb.versions\",\n \"contains\": \"[[parameters('allowedSmbVersion')]\"\n }\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n }", - "$fxv#36": "{\n \"name\": \"Deny-FileServices-InsecureAuth\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"File Services with insecure authentication methods should be denied\",\n \"description\": \"This policy denies the use of insecure authentication methods (NTLMv2) when using File Services on a storage account.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n },\n \"notAllowedAuthMethods\": {\n \"type\": \"String\",\n \"defaultValue\": \"NTLMv2\",\n \"allowedValues\": [\n \"NTLMv2\",\n \"Kerberos\"\n ],\n \"metadata\": {\n \"displayName\": \"Authentication methods supported by server. Valid values are NTLMv2, Kerberos.\",\n \"description\": \"The list of channelEncryption not allowed.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/fileServices/protocolSettings.smb.authenticationMethods\",\n \"contains\": \"[[parameters('notAllowedAuthMethods')]\"\n },\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/fileServices\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n }", - "$fxv#37": "{\n \"name\": \"Deploy-ASC-SecurityContacts\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud Security Contacts\",\n \"description\": \"Deploy Microsoft Defender for Cloud Security Contacts\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email addresses (semi-colon separated) for Defender for Cloud contact details\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"String\",\n \"defaultValue\": \"High\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Security/securityContacts\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Security/securityContacts/email\",\n \"contains\": \"[[parameters('emailSecurityContact')]\"\n },\n {\n \"field\": \"Microsoft.Security/securityContacts/isEnabled\",\n \"equals\": true\n },\n {\n \"field\": \"Microsoft.Security/securityContacts/notificationsSources[*].Alert.minimalSeverity\",\n \"contains\": \"[[parameters('minimalSeverity')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"Security contacts email address\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"Minimal severity level reported\"\n }\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Security/securityContacts\",\n \"name\": \"default\",\n \"apiVersion\": \"2023-12-01-preview\",\n \"properties\": {\n \"emails\": \"[[parameters('emailSecurityContact')]\",\n \"isEnabled\": true,\n \"notificationsByRole\": {\n \"state\": \"On\",\n \"roles\": [\n \"Owner\"\n ]\n },\n \"notificationsSources\": [\n {\n \"sourceType\": \"Alert\",\n \"minimalSeverity\": \"[[parameters('minimalSeverity')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#38": "{\n \"name\": \"Deploy-Custom-Route-Table\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy a route table with specific user defined routes\",\n \"description\": \"Deploys a route table with specific user defined routes when one does not exist. The route table deployed by the policy must be manually associated to subnet(s)\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"requiredRoutes\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"requiredRoutes\",\n \"description\": \"Routes that must exist in compliant route tables deployed by this policy\"\n }\n },\n \"vnetRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"vnetRegion\",\n \"description\": \"Only VNets in this region will be evaluated against this policy\"\n }\n },\n \"routeTableName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"routeTableName\",\n \"description\": \"Name of the route table automatically deployed by this policy\"\n }\n },\n \"disableBgpPropagation\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"DisableBgpPropagation\",\n \"description\": \"Disable BGP Propagation\"\n },\n \"defaultValue\": false\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks\"\n },\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('vnetRegion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/routeTables\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"name\",\n \"equals\": \"[[parameters('routeTableName')]\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/routeTables/routes[*]\",\n \"where\": {\n \"value\": \"[[concat(current('Microsoft.Network/routeTables/routes[*].addressPrefix'), ';', current('Microsoft.Network/routeTables/routes[*].nextHopType'), if(equals(toLower(current('Microsoft.Network/routeTables/routes[*].nextHopType')),'virtualappliance'), concat(';', current('Microsoft.Network/routeTables/routes[*].nextHopIpAddress')), ''))]\",\n \"in\": \"[[parameters('requiredRoutes')]\"\n }\n },\n \"equals\": \"[[length(parameters('requiredRoutes'))]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/subscriptions/e867a45d-e513-44ac-931e-4741cef80b24/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"routeTableName\": {\n \"type\": \"string\"\n },\n \"vnetRegion\": {\n \"type\": \"string\"\n },\n \"requiredRoutes\": {\n \"type\": \"array\"\n },\n \"disableBgpPropagation\": {\n \"type\": \"bool\"\n }\n },\n \"variables\": {\n \"copyLoop\": [\n {\n \"name\": \"routes\",\n \"count\": \"[[[length(parameters('requiredRoutes'))]\",\n \"input\": {\n \"name\": \"[[[concat('route-',copyIndex('routes'))]\",\n \"properties\": {\n \"addressPrefix\": \"[[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[0]]\",\n \"nextHopType\": \"[[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]]\",\n \"nextHopIpAddress\": \"[[[if(equals(toLower(split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]),'virtualappliance'),split(parameters('requiredRoutes')[copyIndex('routes')], ';')[2], null())]\"\n }\n }\n }\n ]\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"routeTableDepl\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"routeTableName\": {\n \"type\": \"string\"\n },\n \"vnetRegion\": {\n \"type\": \"string\"\n },\n \"requiredRoutes\": {\n \"type\": \"array\"\n },\n \"disableBgpPropagation\": {\n \"type\": \"bool\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/routeTables\",\n \"apiVersion\": \"2021-02-01\",\n \"name\": \"[[[parameters('routeTableName')]\",\n \"location\": \"[[[parameters('vnetRegion')]\",\n \"properties\": {\n \"disableBgpRoutePropagation\": \"[[[parameters('disableBgpPropagation')]\",\n \"copy\": \"[[variables('copyLoop')]\"\n }\n }\n ]\n },\n \"parameters\": {\n \"routeTableName\": {\n \"value\": \"[[parameters('routeTableName')]\"\n },\n \"vnetRegion\": {\n \"value\": \"[[parameters('vnetRegion')]\"\n },\n \"requiredRoutes\": {\n \"value\": \"[[parameters('requiredRoutes')]\"\n },\n \"disableBgpPropagation\": {\n \"value\": \"[[parameters('disableBgpPropagation')]\"\n }\n }\n }\n }\n ]\n },\n \"parameters\": {\n \"routeTableName\": {\n \"value\": \"[[parameters('routeTableName')]\"\n },\n \"vnetRegion\": {\n \"value\": \"[[parameters('vnetRegion')]\"\n },\n \"requiredRoutes\": {\n \"value\": \"[[parameters('requiredRoutes')]\"\n },\n \"disableBgpPropagation\": {\n \"value\": \"[[parameters('disableBgpPropagation')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#39": "{\n \"name\": \"Deploy-DDoSProtection\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy an Azure DDoS Network Protection\",\n \"description\": \"Deploys an Azure DDoS Network Protection\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"ddosName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"ddosName\",\n \"description\": \"DDoSVnet\"\n }\n },\n \"ddosRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"ddosRegion\",\n \"description\": \"DDoSVnet location\",\n \"strongType\": \"location\"\n }\n },\n \"rgName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"rgName\",\n \"description\": \"Provide name for resource group.\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/ddosProtectionPlans\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"resourceGroup\",\n \"resourceGroupName\": \"[[parameters('rgName')]\",\n \"name\": \"[[parameters('ddosName')]\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"rgName\": {\n \"value\": \"[[parameters('rgName')]\"\n },\n \"ddosname\": {\n \"value\": \"[[parameters('ddosname')]\"\n },\n \"ddosregion\": {\n \"value\": \"[[parameters('ddosRegion')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"rgName\": {\n \"type\": \"String\"\n },\n \"ddosname\": {\n \"type\": \"String\"\n },\n \"ddosRegion\": {\n \"type\": \"String\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"apiVersion\": \"2018-05-01\",\n \"name\": \"[[parameters('rgName')]\",\n \"location\": \"[[deployment().location]\",\n \"properties\": {}\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2018-05-01\",\n \"name\": \"ddosprotection\",\n \"resourceGroup\": \"[[parameters('rgName')]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/ddosProtectionPlans\",\n \"apiVersion\": \"2019-12-01\",\n \"name\": \"[[parameters('ddosName')]\",\n \"location\": \"[[parameters('ddosRegion')]\",\n \"properties\": {}\n }\n ],\n \"outputs\": {}\n }\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#30": "{\n \"name\": \"Deny-UDR-With-Specific-NextHop\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"User Defined Routes with 'Next Hop Type' set to 'Internet' or 'VirtualNetworkGateway' should be denied\",\n \"description\": \"This policy denies the creation of a User Defined Route with 'Next Hop Type' set to 'Internet' or 'VirtualNetworkGateway'.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"excludedDestinations\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Excluded Destinations\",\n \"description\": \"Array of route destinations that are to be denied\"\n },\n \"defaultValue\": [\n \"Internet\", \n \"VirtualNetworkGateway\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"equals\": \"Microsoft.Network/routeTables\",\n \"field\": \"type\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/routeTables/routes[*]\",\n \"where\": {\n \"field\": \"Microsoft.Network/routeTables/routes[*].nextHopType\",\n \"in\": \"[[parameters('excludedDestinations')]\"\n }\n },\n \"notEquals\": 0\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/routeTables/routes\"\n },\n {\n \"field\": \"Microsoft.Network/routeTables/routes/nextHopType\",\n \"in\": \"[[parameters('excludedDestinations')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#31": "{\n \"name\": \"Deny-VNET-Peer-Cross-Sub\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deny vNet peering cross subscription.\",\n \"description\": \"This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"allowedVnets\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Allowed vNets to peer with\",\n \"description\": \"Array of allowed vNets that can be peered with. Must be entered using their resource ID. Example: /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}\"\n },\n \"defaultValue\": []\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\"\n },\n {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id\",\n \"notIn\": \"[[parameters('allowedVnets')]\"\n },\n {\n \"field\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id\",\n \"notLike\": \"[[concat(subscription().id, '/*')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#32": "{\n \"name\": \"Deny-VNET-Peering-To-Non-Approved-VNETs\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deny vNet peering to non-approved vNets\",\n \"description\": \"This policy denies the creation of vNet Peerings to non-approved vNets under the assigned scope.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"allowedVnets\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Allowed vNets to peer with\",\n \"description\": \"Array of allowed vNets that can be peered with. Must be entered using their resource ID. Example: /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}\"\n },\n \"defaultValue\": []\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id\",\n \"in\": \"[[parameters('allowedVnets')]\"\n }\n }\n ]\n },\n {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks\"\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings[*].remoteVirtualNetwork.id\",\n \"in\": \"[[parameters('allowedVnets')]\"\n }\n },\n {\n \"not\": {\n \"field\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings[*].remoteVirtualNetwork.id\",\n \"exists\": false\n }\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#33": "{\n \"name\": \"Deny-VNet-Peering\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deny vNet peering \",\n \"description\": \"This policy denies the creation of vNet Peerings under the assigned scope.\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", + "$fxv#34": "{\n \"name\": \"Deny-StorageAccount-CustomDomain\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Storage Accounts with custom domains assigned should be denied\",\n \"description\": \"This policy denies the creation of Storage Accounts with custom domains assigned as communication cannot be encrypted, and always uses HTTP.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/customDomain\",\n \"exists\": \"true\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/customDomain.useSubDomainName\",\n \"equals\": \"true\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n }", + "$fxv#35": "{\n \"name\": \"Deny-FileServices-InsecureKerberos\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"File Services with insecure Kerberos ticket encryption should be denied\",\n \"description\": \"This policy denies the use of insecure Kerberos ticket encryption (RC4-HMAC) when using File Services on a storage account.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n },\n \"notAllowedKerberosTicketEncryption\": {\n \"type\": \"String\",\n \"defaultValue\": \"RC4-HMAC\",\n \"allowedValues\": [\n \"RC4-HMAC\",\n \"AES-256\"\n ],\n \"metadata\": {\n \"displayName\": \"Kerberos ticket encryption supported by server. Valid values are RC4-HMAC, AES-256.\",\n \"description\": \"The list of kerberosTicketEncryption not allowed.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/fileServices\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/fileServices/protocolSettings.smb.kerberosTicketEncryption\",\n \"contains\": \"[[parameters('notAllowedKerberosTicketEncryption')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n }", + "$fxv#36": "{\n \"name\": \"Deny-FileServices-InsecureSmbChannel\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"File Services with insecure SMB channel encryption should be denied\",\n \"description\": \"This policy denies the use of insecure channel encryption (AES-128-CCM) when using File Services on a storage account.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n },\n \"notAllowedChannelEncryption\": {\n \"type\": \"String\",\n \"defaultValue\": \"AES-128-CCM\",\n \"allowedValues\": [\n \"AES-128-CCM\",\n \"AES-128-GCM\",\n \"AES-256-GCM\"\n ],\n \"metadata\": {\n \"displayName\": \"SMB channel encryption supported by server. Valid values are AES-128-CCM, AES-128-GCM, AES-256-GCM.\",\n \"description\": \"The list of channelEncryption not allowed.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/fileServices\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/fileServices/protocolSettings.smb.channelEncryption\",\n \"contains\": \"[[parameters('notAllowedChannelEncryption')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n }", + "$fxv#37": "{\n \"name\": \"Deny-FileServices-InsecureSmbVersions\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"File Services with insecure SMB versions should be denied\",\n \"description\": \"This policy denies the use of insecure versions of SMB (2.1 & 3.0) when using File Services on a storage account.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n },\n \"allowedSmbVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"SMB3.1.1\",\n \"allowedValues\": [\n \"SMB2.1\",\n \"SMB3.0\",\n \"SMB3.1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Allowed SMB Version\",\n \"description\": \"The allowed SMB version for maximum security\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/fileServices\"\n },\n {\n \"not\":\n {\n \"field\": \"Microsoft.Storage/storageAccounts/fileServices/protocolSettings.smb.versions\",\n \"contains\": \"[[parameters('allowedSmbVersion')]\"\n }\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n }", + "$fxv#38": "{\n \"name\": \"Deny-FileServices-InsecureAuth\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"File Services with insecure authentication methods should be denied\",\n \"description\": \"This policy denies the use of insecure authentication methods (NTLMv2) when using File Services on a storage account.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n },\n \"notAllowedAuthMethods\": {\n \"type\": \"String\",\n \"defaultValue\": \"NTLMv2\",\n \"allowedValues\": [\n \"NTLMv2\",\n \"Kerberos\"\n ],\n \"metadata\": {\n \"displayName\": \"Authentication methods supported by server. Valid values are NTLMv2, Kerberos.\",\n \"description\": \"The list of channelEncryption not allowed.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/fileServices/protocolSettings.smb.authenticationMethods\",\n \"contains\": \"[[parameters('notAllowedAuthMethods')]\"\n },\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/fileServices\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n }", + "$fxv#39": "{\n \"name\": \"Deploy-ASC-SecurityContacts\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud Security Contacts\",\n \"description\": \"Deploy Microsoft Defender for Cloud Security Contacts\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email addresses (semi-colon separated) for Defender for Cloud contact details\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"String\",\n \"defaultValue\": \"High\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Security/securityContacts\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Security/securityContacts/email\",\n \"contains\": \"[[parameters('emailSecurityContact')]\"\n },\n {\n \"field\": \"Microsoft.Security/securityContacts/isEnabled\",\n \"equals\": true\n },\n {\n \"field\": \"Microsoft.Security/securityContacts/notificationsSources[*].Alert.minimalSeverity\",\n \"contains\": \"[[parameters('minimalSeverity')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"Security contacts email address\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"Minimal severity level reported\"\n }\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Security/securityContacts\",\n \"name\": \"default\",\n \"apiVersion\": \"2023-12-01-preview\",\n \"properties\": {\n \"emails\": \"[[parameters('emailSecurityContact')]\",\n \"isEnabled\": true,\n \"notificationsByRole\": {\n \"state\": \"On\",\n \"roles\": [\n \"Owner\"\n ]\n },\n \"notificationsSources\": [\n {\n \"sourceType\": \"Alert\",\n \"minimalSeverity\": \"[[parameters('minimalSeverity')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", "$fxv#4": "{\n \"name\": \"Append-Redis-sslEnforcement\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS.\",\n \"description\": \"Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Cache\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect Azure Cache for Redis\",\n \"description\": \"Enable or disable the execution of the policy minimum TLS version Azure Cache for Redis\"\n }\n },\n \"minimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version for Redis server\",\n \"description\": \"Select version minimum TLS version Azure Cache for Redis to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Cache/redis\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Cache/Redis/minimumTlsVersion\",\n \"less\": \"[[parameters('minimumTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": [\n {\n \"field\": \"Microsoft.Cache/Redis/minimumTlsVersion\",\n \"value\": \"[[parameters('minimumTlsVersion')]\"\n }\n ]\n }\n }\n }\n}\n", - "$fxv#40": "{\n \"name\": \"Deploy-Diagnostics-AA\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Automation/automationAccounts\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Automation/automationAccounts/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"timeGrain\": null,\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"enabled\": false,\n \"days\": 0\n }\n }\n ],\n \"logs\": [\n {\n \"category\": \"JobLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"JobStreams\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DscNodeStatus\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AuditEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#41": "{\n \"name\": \"Deploy-Diagnostics-ACI\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.ContainerInstance/containerGroups\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.ContainerInstance/containerGroups/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": []\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#42": "{\n \"name\": \"Deploy-Diagnostics-ACR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.ContainerRegistry/registries\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.ContainerRegistry/registries/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"ContainerRegistryLoginEvents\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ContainerRegistryRepositoryEvents\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#43": "{\n \"name\": \"Deploy-Diagnostics-AnalysisService\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.AnalysisServices/servers\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.AnalysisServices/servers/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"Engine\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Service\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#44": "{\n \"name\": \"Deploy-Diagnostics-ApiForFHIR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.HealthcareApis/services\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.HealthcareApis/services/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"AuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#45": "{\n \"name\": \"Deploy-Diagnostics-APIMgmt\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"logAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics destination type\",\n \"description\": \"Select destination type for Log Analytics. Allowed values are 'Dedicated' (resource specific) and 'AzureDiagnostics'. Default is 'AzureDiagnostics'\"\n },\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ]\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.ApiManagement/service\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"logAnalyticsDestinationType\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.ApiManagement/service/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"GatewayLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"WebSocketConnectionLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ],\n \"logAnalyticsDestinationType\": \"[[parameters('logAnalyticsDestinationType')]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('logAnalyticsDestinationType')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#46": "{\n \"name\": \"Deploy-Diagnostics-ApplicationGateway\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/applicationGateways\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/applicationGateways/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"ApplicationGatewayAccessLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ApplicationGatewayPerformanceLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ApplicationGatewayFirewallLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#47": "{\n \"name\": \"Deploy-Diagnostics-Bastion\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Azure Bastion which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/bastionHosts\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/bastionHosts/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"BastionAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#48": "{\n \"name\": \"Deploy-Diagnostics-CDNEndpoints\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Cdn/profiles/endpoints\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Cdn/profiles/endpoints/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [],\n \"logs\": [\n {\n \"category\": \"CoreAnalytics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('fullName')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#49": "{\n \"name\": \"Deploy-Diagnostics-CognitiveServices\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.CognitiveServices/accounts\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.CognitiveServices/accounts/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"Audit\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"RequestResponse\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Trace\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#40": "{\n \"name\": \"Deploy-Custom-Route-Table\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy a route table with specific user defined routes\",\n \"description\": \"Deploys a route table with specific user defined routes when one does not exist. The route table deployed by the policy must be manually associated to subnet(s)\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"requiredRoutes\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"requiredRoutes\",\n \"description\": \"Routes that must exist in compliant route tables deployed by this policy\"\n }\n },\n \"vnetRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"vnetRegion\",\n \"description\": \"Only VNets in this region will be evaluated against this policy\"\n }\n },\n \"routeTableName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"routeTableName\",\n \"description\": \"Name of the route table automatically deployed by this policy\"\n }\n },\n \"disableBgpPropagation\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"DisableBgpPropagation\",\n \"description\": \"Disable BGP Propagation\"\n },\n \"defaultValue\": false\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks\"\n },\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('vnetRegion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/routeTables\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"name\",\n \"equals\": \"[[parameters('routeTableName')]\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/routeTables/routes[*]\",\n \"where\": {\n \"value\": \"[[concat(current('Microsoft.Network/routeTables/routes[*].addressPrefix'), ';', current('Microsoft.Network/routeTables/routes[*].nextHopType'), if(equals(toLower(current('Microsoft.Network/routeTables/routes[*].nextHopType')),'virtualappliance'), concat(';', current('Microsoft.Network/routeTables/routes[*].nextHopIpAddress')), ''))]\",\n \"in\": \"[[parameters('requiredRoutes')]\"\n }\n },\n \"equals\": \"[[length(parameters('requiredRoutes'))]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/subscriptions/e867a45d-e513-44ac-931e-4741cef80b24/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"routeTableName\": {\n \"type\": \"string\"\n },\n \"vnetRegion\": {\n \"type\": \"string\"\n },\n \"requiredRoutes\": {\n \"type\": \"array\"\n },\n \"disableBgpPropagation\": {\n \"type\": \"bool\"\n }\n },\n \"variables\": {\n \"copyLoop\": [\n {\n \"name\": \"routes\",\n \"count\": \"[[[length(parameters('requiredRoutes'))]\",\n \"input\": {\n \"name\": \"[[[concat('route-',copyIndex('routes'))]\",\n \"properties\": {\n \"addressPrefix\": \"[[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[0]]\",\n \"nextHopType\": \"[[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]]\",\n \"nextHopIpAddress\": \"[[[if(equals(toLower(split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]),'virtualappliance'),split(parameters('requiredRoutes')[copyIndex('routes')], ';')[2], null())]\"\n }\n }\n }\n ]\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"routeTableDepl\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"routeTableName\": {\n \"type\": \"string\"\n },\n \"vnetRegion\": {\n \"type\": \"string\"\n },\n \"requiredRoutes\": {\n \"type\": \"array\"\n },\n \"disableBgpPropagation\": {\n \"type\": \"bool\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/routeTables\",\n \"apiVersion\": \"2021-02-01\",\n \"name\": \"[[[parameters('routeTableName')]\",\n \"location\": \"[[[parameters('vnetRegion')]\",\n \"properties\": {\n \"disableBgpRoutePropagation\": \"[[[parameters('disableBgpPropagation')]\",\n \"copy\": \"[[variables('copyLoop')]\"\n }\n }\n ]\n },\n \"parameters\": {\n \"routeTableName\": {\n \"value\": \"[[parameters('routeTableName')]\"\n },\n \"vnetRegion\": {\n \"value\": \"[[parameters('vnetRegion')]\"\n },\n \"requiredRoutes\": {\n \"value\": \"[[parameters('requiredRoutes')]\"\n },\n \"disableBgpPropagation\": {\n \"value\": \"[[parameters('disableBgpPropagation')]\"\n }\n }\n }\n }\n ]\n },\n \"parameters\": {\n \"routeTableName\": {\n \"value\": \"[[parameters('routeTableName')]\"\n },\n \"vnetRegion\": {\n \"value\": \"[[parameters('vnetRegion')]\"\n },\n \"requiredRoutes\": {\n \"value\": \"[[parameters('requiredRoutes')]\"\n },\n \"disableBgpPropagation\": {\n \"value\": \"[[parameters('disableBgpPropagation')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#41": "{\n \"name\": \"Deploy-DDoSProtection\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy an Azure DDoS Network Protection\",\n \"description\": \"Deploys an Azure DDoS Network Protection\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"ddosName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"ddosName\",\n \"description\": \"DDoSVnet\"\n }\n },\n \"ddosRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"ddosRegion\",\n \"description\": \"DDoSVnet location\",\n \"strongType\": \"location\"\n }\n },\n \"rgName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"rgName\",\n \"description\": \"Provide name for resource group.\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/ddosProtectionPlans\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"resourceGroup\",\n \"resourceGroupName\": \"[[parameters('rgName')]\",\n \"name\": \"[[parameters('ddosName')]\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"rgName\": {\n \"value\": \"[[parameters('rgName')]\"\n },\n \"ddosname\": {\n \"value\": \"[[parameters('ddosname')]\"\n },\n \"ddosregion\": {\n \"value\": \"[[parameters('ddosRegion')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"rgName\": {\n \"type\": \"String\"\n },\n \"ddosname\": {\n \"type\": \"String\"\n },\n \"ddosRegion\": {\n \"type\": \"String\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"apiVersion\": \"2018-05-01\",\n \"name\": \"[[parameters('rgName')]\",\n \"location\": \"[[deployment().location]\",\n \"properties\": {}\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2018-05-01\",\n \"name\": \"ddosprotection\",\n \"resourceGroup\": \"[[parameters('rgName')]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/ddosProtectionPlans\",\n \"apiVersion\": \"2019-12-01\",\n \"name\": \"[[parameters('ddosName')]\",\n \"location\": \"[[parameters('ddosRegion')]\",\n \"properties\": {}\n }\n ],\n \"outputs\": {}\n }\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#42": "{\n \"name\": \"Deploy-Diagnostics-AA\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Automation/automationAccounts\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Automation/automationAccounts/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"timeGrain\": null,\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"enabled\": false,\n \"days\": 0\n }\n }\n ],\n \"logs\": [\n {\n \"category\": \"JobLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"JobStreams\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DscNodeStatus\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AuditEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#43": "{\n \"name\": \"Deploy-Diagnostics-ACI\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.ContainerInstance/containerGroups\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.ContainerInstance/containerGroups/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": []\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#44": "{\n \"name\": \"Deploy-Diagnostics-ACR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.ContainerRegistry/registries\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.ContainerRegistry/registries/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"ContainerRegistryLoginEvents\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ContainerRegistryRepositoryEvents\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#45": "{\n \"name\": \"Deploy-Diagnostics-AnalysisService\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.AnalysisServices/servers\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.AnalysisServices/servers/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"Engine\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Service\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#46": "{\n \"name\": \"Deploy-Diagnostics-ApiForFHIR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.HealthcareApis/services\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.HealthcareApis/services/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"AuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#47": "{\n \"name\": \"Deploy-Diagnostics-APIMgmt\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"logAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics destination type\",\n \"description\": \"Select destination type for Log Analytics. Allowed values are 'Dedicated' (resource specific) and 'AzureDiagnostics'. Default is 'AzureDiagnostics'\"\n },\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ]\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.ApiManagement/service\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"logAnalyticsDestinationType\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.ApiManagement/service/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"GatewayLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"WebSocketConnectionLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ],\n \"logAnalyticsDestinationType\": \"[[parameters('logAnalyticsDestinationType')]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('logAnalyticsDestinationType')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#48": "{\n \"name\": \"Deploy-Diagnostics-ApplicationGateway\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/applicationGateways\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/applicationGateways/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"ApplicationGatewayAccessLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ApplicationGatewayPerformanceLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ApplicationGatewayFirewallLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#49": "{\n \"name\": \"Deploy-Diagnostics-Bastion\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Azure Bastion which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/bastionHosts\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/bastionHosts/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"BastionAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", "$fxv#5": "{\n \"name\": \"Audit-Disks-UnusedResourcesCostOptimization\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Unused Disks driving cost should be avoided\",\n \"mode\": \"All\",\n \"description\": \"Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Disks that are driving cost.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cost Optimization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/disks\"\n },\n {\n \"field\": \"Microsoft.Compute/disks/diskState\",\n \"equals\": \"Unattached\"\n },\n {\n \"allof\": [\n {\n \"field\": \"name\",\n \"notlike\": \"*-ASRReplica\"\n },\n {\n \"field\": \"name\",\n \"notlike\": \"ms-asr-*\"\n },\n {\n \"field\": \"name\",\n \"notlike\": \"asrseeddisk-*\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#50": "{\n \"name\": \"Deploy-Diagnostics-CosmosDB\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DocumentDB/databaseAccounts\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DocumentDB/databaseAccounts/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"Requests\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"DataPlaneRequests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"MongoRequests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"QueryRuntimeStatistics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"PartitionKeyStatistics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"PartitionKeyRUConsumption\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ControlPlaneRequests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"CassandraRequests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"GremlinRequests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"TableApiRequests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#51": "{\n \"name\": \"Deploy-Diagnostics-Databricks\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.3.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Databricks/workspaces/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"dbfs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"clusters\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"accounts\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"jobs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"notebook\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ssh\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"workspace\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"secrets\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"sqlPermissions\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"instancePools\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"sqlanalytics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"genie\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"globalInitScripts\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"iamRole\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"mlflowExperiment\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"featureStore\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"RemoteHistoryService\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"mlflowAcledArtifact\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"databrickssql\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"deltaPipelines\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"modelRegistry\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"repos\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"unityCatalog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"gitCredentials\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"webTerminal\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"serverlessRealTimeInference\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"clusterLibraries\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"partnerHub\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"clamAVScan\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"capsule8Dataplane\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#52": "{\n \"name\": \"Deploy-Diagnostics-DataExplorerCluster\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Kusto/Clusters\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Kusto/Clusters/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"SucceededIngestion\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"FailedIngestion\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"IngestionBatching\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Command\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Query\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"TableUsageStatistics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"TableDetails\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#53": "{\n \"name\": \"Deploy-Diagnostics-DataFactory\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DataFactory/factories\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DataFactory/factories/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"ActivityRuns\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"PipelineRuns\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"TriggerRuns\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SSISPackageEventMessages\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SSISPackageExecutableStatistics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SSISPackageEventMessageContext\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SSISPackageExecutionComponentPhases\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SSISPackageExecutionDataStatistics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SSISIntegrationRuntimeLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SandboxPipelineRuns\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SandboxActivityRuns\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#54": "{\n \"name\": \"Deploy-Diagnostics-DLAnalytics\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DataLakeAnalytics/accounts\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"Audit\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Requests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#55": "{\n \"name\": \"Deploy-Diagnostics-EventGridSub\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.EventGrid/eventSubscriptions\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.EventGrid/eventSubscriptions/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": []\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#56": "{\n \"name\": \"Deploy-Diagnostics-EventGridSystemTopic\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.EventGrid/systemTopics\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.EventGrid/systemTopics/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"DeliveryFailures\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#57": "{\n \"name\": \"Deploy-Diagnostics-EventGridTopic\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.EventGrid/topics\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.EventGrid/topics/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"DeliveryFailures\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"PublishFailures\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DataPlaneRequests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#58": "{\n \"name\": \"Deploy-Diagnostics-ExpressRoute\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/expressRouteCircuits\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/expressRouteCircuits/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"PeeringRouteLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#59": "{\n \"name\": \"Deploy-Diagnostics-Firewall\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"logAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics destination type\",\n \"description\": \"Select destination type for Log Analytics. Allowed values are 'Dedicated' (resource specific) and 'AzureDiagnostics'. Default is 'AzureDiagnostics'\"\n },\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ]\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/azureFirewalls\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"logAnalyticsDestinationType\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/azureFirewalls/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logAnalyticsDestinationType\": \"[[parameters('logAnalyticsDestinationType')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"AzureFirewallApplicationRule\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AzureFirewallNetworkRule\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AzureFirewallDnsProxy\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWNetworkRule\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWApplicationRule\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWNatRule\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWThreatIntel\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWIdpsSignature\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWDnsQuery\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWFqdnResolveFailure\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWApplicationRuleAggregation\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWNetworkRuleAggregation\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWNatRuleAggregation\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWFatFlow\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWFlowTrace\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('logAnalyticsDestinationType')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#50": "{\n \"name\": \"Deploy-Diagnostics-CDNEndpoints\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Cdn/profiles/endpoints\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Cdn/profiles/endpoints/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [],\n \"logs\": [\n {\n \"category\": \"CoreAnalytics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('fullName')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#51": "{\n \"name\": \"Deploy-Diagnostics-CognitiveServices\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.CognitiveServices/accounts\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.CognitiveServices/accounts/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"Audit\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"RequestResponse\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Trace\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#52": "{\n \"name\": \"Deploy-Diagnostics-CosmosDB\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DocumentDB/databaseAccounts\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DocumentDB/databaseAccounts/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"Requests\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"DataPlaneRequests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"MongoRequests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"QueryRuntimeStatistics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"PartitionKeyStatistics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"PartitionKeyRUConsumption\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ControlPlaneRequests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"CassandraRequests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"GremlinRequests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"TableApiRequests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#53": "{\n \"name\": \"Deploy-Diagnostics-Databricks\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.3.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Databricks/workspaces\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Databricks/workspaces/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"dbfs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"clusters\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"accounts\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"jobs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"notebook\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ssh\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"workspace\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"secrets\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"sqlPermissions\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"instancePools\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"sqlanalytics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"genie\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"globalInitScripts\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"iamRole\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"mlflowExperiment\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"featureStore\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"RemoteHistoryService\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"mlflowAcledArtifact\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"databrickssql\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"deltaPipelines\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"modelRegistry\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"repos\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"unityCatalog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"gitCredentials\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"webTerminal\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"serverlessRealTimeInference\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"clusterLibraries\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"partnerHub\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"clamAVScan\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"capsule8Dataplane\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#54": "{\n \"name\": \"Deploy-Diagnostics-DataExplorerCluster\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Kusto/Clusters\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Kusto/Clusters/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"SucceededIngestion\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"FailedIngestion\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"IngestionBatching\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Command\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Query\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"TableUsageStatistics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"TableDetails\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#55": "{\n \"name\": \"Deploy-Diagnostics-DataFactory\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DataFactory/factories\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DataFactory/factories/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"ActivityRuns\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"PipelineRuns\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"TriggerRuns\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SSISPackageEventMessages\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SSISPackageExecutableStatistics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SSISPackageEventMessageContext\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SSISPackageExecutionComponentPhases\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SSISPackageExecutionDataStatistics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SSISIntegrationRuntimeLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SandboxPipelineRuns\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SandboxActivityRuns\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#56": "{\n \"name\": \"Deploy-Diagnostics-DLAnalytics\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DataLakeAnalytics/accounts\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"Audit\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Requests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#57": "{\n \"name\": \"Deploy-Diagnostics-EventGridSub\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.EventGrid/eventSubscriptions\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.EventGrid/eventSubscriptions/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": []\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#58": "{\n \"name\": \"Deploy-Diagnostics-EventGridSystemTopic\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.EventGrid/systemTopics\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.EventGrid/systemTopics/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"DeliveryFailures\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#59": "{\n \"name\": \"Deploy-Diagnostics-EventGridTopic\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.EventGrid/topics\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.EventGrid/topics/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"DeliveryFailures\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"PublishFailures\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DataPlaneRequests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", "$fxv#6": "{\n \"name\": \"Audit-PublicIpAddresses-UnusedResourcesCostOptimization\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Unused Public IP addresses driving cost should be avoided\",\n \"mode\": \"All\",\n \"description\": \"Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Public IP addresses that are driving cost.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Cost Optimization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"microsoft.network/publicIpAddresses\"\n },\n {\n \"field\": \"Microsoft.Network/publicIPAddresses/publicIPAllocationMethod\",\n \"equals\": \"Static\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/publicIPAddresses/natGateway\",\n \"exists\": false\n },\n {\n \"value\": \"[[equals(length(field('Microsoft.Network/publicIPAddresses/natGateway')), 0)]\",\n \"equals\": true\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/publicIPAddresses/ipConfiguration\",\n \"exists\": false\n },\n {\n \"value\": \"[[equals(length(field('Microsoft.Network/publicIPAddresses/ipConfiguration')), 0)]\",\n \"equals\": true\n }\n ]\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Network/publicIPAddresses/publicIPPrefix\",\n \"exists\": false\n },\n {\n \"value\": \"[[equals(length(field('Microsoft.Network/publicIPAddresses/publicIPPrefix')), 0)]\",\n \"equals\": true\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#60": "{\n \"name\": \"Deploy-Diagnostics-FrontDoor\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/frontDoors\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/frontDoors/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"FrontdoorAccessLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"FrontdoorWebApplicationFirewallLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#61": "{\n \"name\": \"Deploy-Diagnostics-Function\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"value\": \"[[field('kind')]\",\n \"contains\": \"functionapp\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Web/sites/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"FunctionAppLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#62": "{\n \"name\": \"Deploy-Diagnostics-HDInsight\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.HDInsight/clusters\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.HDInsight/clusters/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": []\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#63": "{\n \"name\": \"Deploy-Diagnostics-iotHub\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Devices/IotHubs\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Devices/IotHubs/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"Connections\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DeviceTelemetry\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"C2DCommands\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DeviceIdentityOperations\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"FileUploadOperations\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Routes\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"D2CTwinOperations\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"C2DTwinOperations\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"TwinQueries\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"JobsOperations\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DirectMethods\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DistributedTracing\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Configurations\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DeviceStreams\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#64": "{\n \"name\": \"Deploy-Diagnostics-LoadBalancer\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/loadBalancers\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/loadBalancers/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"timeGrain\": null,\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"enabled\": false,\n \"days\": 0\n }\n }\n ],\n \"logs\": [\n {\n \"category\": \"LoadBalancerAlertEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"LoadBalancerProbeHealthStatus\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#65": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Log Analytics workspaces to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"microsoft.operationalinsights/workspaces\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"microsoft.operationalinsights/workspaces/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"Audit\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#66": "{\n \"name\": \"Deploy-Diagnostics-LogicAppsISE\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Logic/integrationAccounts\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Logic/integrationAccounts/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [],\n \"logs\": [\n {\n \"category\": \"IntegrationAccountTrackingEvents\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#67": "{\n \"name\": \"Deploy-Diagnostics-MariaDB\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Diagnostic Settings for MariaDB to Log Analytics Workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled. Deprecating due to service retirement, https://learn.microsoft.com/en-us/azure/mariadb/whats-happening-to-mariadb\",\n \"metadata\": {\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMariaDB/servers\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DBforMariaDB/servers/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"MySqlSlowLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"MySqlAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#68": "{\n \"name\": \"Deploy-Diagnostics-MediaService\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Media/mediaServices\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Media/mediaServices/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"KeyDeliveryRequests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#69": "{\n \"name\": \"Deploy-Diagnostics-MlWorkspace\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.MachineLearningServices/workspaces/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"enabled\": false,\n \"days\": 0\n }\n }\n ],\n \"logs\": [\n {\n \"category\": \"AmlComputeClusterEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AmlComputeClusterNodeEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AmlComputeJobEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AmlComputeCpuGpuUtilization\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AmlRunStatusChangedEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ModelsChangeEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ModelsReadEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ModelsActionEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DeploymentReadEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DeploymentEventACI\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DeploymentEventAKS\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"InferencingOperationAKS\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"InferencingOperationACI\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DataLabelChangeEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DataLabelReadEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ComputeInstanceEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DataStoreChangeEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DataStoreReadEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DataSetChangeEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DataSetReadEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"PipelineChangeEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"PipelineReadEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"RunEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"RunReadEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"EnvironmentChangeEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"EnvironmentReadEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#60": "{\n \"name\": \"Deploy-Diagnostics-ExpressRoute\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/expressRouteCircuits\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/expressRouteCircuits/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"PeeringRouteLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#61": "{\n \"name\": \"Deploy-Diagnostics-Firewall\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"logAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics destination type\",\n \"description\": \"Select destination type for Log Analytics. Allowed values are 'Dedicated' (resource specific) and 'AzureDiagnostics'. Default is 'AzureDiagnostics'\"\n },\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ]\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/azureFirewalls\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"logAnalyticsDestinationType\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/azureFirewalls/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logAnalyticsDestinationType\": \"[[parameters('logAnalyticsDestinationType')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"AzureFirewallApplicationRule\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AzureFirewallNetworkRule\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AzureFirewallDnsProxy\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWNetworkRule\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWApplicationRule\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWNatRule\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWThreatIntel\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWIdpsSignature\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWDnsQuery\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWFqdnResolveFailure\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWApplicationRuleAggregation\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWNetworkRuleAggregation\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWNatRuleAggregation\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWFatFlow\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AZFWFlowTrace\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('logAnalyticsDestinationType')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#62": "{\n \"name\": \"Deploy-Diagnostics-FrontDoor\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/frontDoors\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/frontDoors/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"FrontdoorAccessLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"FrontdoorWebApplicationFirewallLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#63": "{\n \"name\": \"Deploy-Diagnostics-Function\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"value\": \"[[field('kind')]\",\n \"contains\": \"functionapp\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Web/sites/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"FunctionAppLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#64": "{\n \"name\": \"Deploy-Diagnostics-HDInsight\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.HDInsight/clusters\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.HDInsight/clusters/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": []\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#65": "{\n \"name\": \"Deploy-Diagnostics-iotHub\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Devices/IotHubs\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Devices/IotHubs/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"Connections\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DeviceTelemetry\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"C2DCommands\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DeviceIdentityOperations\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"FileUploadOperations\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Routes\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"D2CTwinOperations\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"C2DTwinOperations\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"TwinQueries\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"JobsOperations\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DirectMethods\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DistributedTracing\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Configurations\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DeviceStreams\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#66": "{\n \"name\": \"Deploy-Diagnostics-LoadBalancer\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/loadBalancers\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/loadBalancers/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"timeGrain\": null,\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"enabled\": false,\n \"days\": 0\n }\n }\n ],\n \"logs\": [\n {\n \"category\": \"LoadBalancerAlertEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"LoadBalancerProbeHealthStatus\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#67": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Log Analytics workspaces to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"microsoft.operationalinsights/workspaces\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"microsoft.operationalinsights/workspaces/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"Audit\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#68": "{\n \"name\": \"Deploy-Diagnostics-LogicAppsISE\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Logic/integrationAccounts\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Logic/integrationAccounts/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [],\n \"logs\": [\n {\n \"category\": \"IntegrationAccountTrackingEvents\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#69": "{\n \"name\": \"Deploy-Diagnostics-MariaDB\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Diagnostic Settings for MariaDB to Log Analytics Workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled. Deprecating due to service retirement, https://learn.microsoft.com/en-us/azure/mariadb/whats-happening-to-mariadb\",\n \"metadata\": {\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMariaDB/servers\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DBforMariaDB/servers/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"MySqlSlowLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"MySqlAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", "$fxv#7": "{\n \"name\": \"Audit-ServerFarms-UnusedResourcesCostOptimization\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Unused App Service plans driving cost should be avoided\",\n \"mode\": \"All\",\n \"description\": \"Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned App Service plans that are driving cost.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cost Optimization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/serverfarms\"\n },\n {\n \"field\": \"Microsoft.Web/serverFarms/sku.tier\",\n \"notEquals\": \"Free\"\n },\n {\n \"field\": \"Microsoft.Web/serverFarms/numberOfSites\",\n \"equals\": 0\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#70": "{\n \"name\": \"Deploy-Diagnostics-MySQL\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMySQL/servers\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DBforMySQL/servers/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"MySqlSlowLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"MySqlAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#71": "{\n \"name\": \"Deploy-Diagnostics-NetworkSecurityGroups\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [],\n \"logs\": [\n {\n \"category\": \"NetworkSecurityGroupEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"NetworkSecurityGroupRuleCounter\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#72": "{\n \"name\": \"Deploy-Diagnostics-NIC\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkInterfaces\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/networkInterfaces/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"timeGrain\": null,\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"enabled\": false,\n \"days\": 0\n }\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#73": "{\n \"name\": \"Deploy-Diagnostics-PostgreSQL\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"2.0.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/flexibleServers\"\n },\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"resourceType\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"condition\": \"[[startsWith(parameters('resourceType'),'Microsoft.DBforPostgreSQL/flexibleServers')]\",\n \"type\": \"Microsoft.DBforPostgreSQL/flexibleServers/providers/diagnosticSettings\",\n \"apiVersion\": \"2021-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"PostgreSQLLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n },\n {\n \"condition\": \"[[startsWith(parameters('resourceType'),'Microsoft.DBforPostgreSQL/servers')]\",\n \"type\": \"Microsoft.DBforPostgreSQL/servers/providers/diagnosticSettings\",\n \"apiVersion\": \"2021-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"PostgreSQLLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"QueryStoreRuntimeStatistics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"QueryStoreWaitStatistics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"resourceType\": {\n \"value\": \"[[field('type')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#74": "{\n \"name\": \"Deploy-Diagnostics-PowerBIEmbedded\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.PowerBIDedicated/capacities\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.PowerBIDedicated/capacities/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"Engine\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#75": "{\n \"name\": \"Deploy-Diagnostics-RedisCache\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Cache/redis\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Cache/redis/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": []\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#76": "{\n \"name\": \"Deploy-Diagnostics-Relay\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Relay/namespaces\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Relay/namespaces/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"HybridConnectionsEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#77": "{\n \"name\": \"Deploy-Diagnostics-SignalR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.SignalRService/SignalR\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.SignalRService/SignalR/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"AllLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#78": "{\n \"name\": \"Deploy-Diagnostics-SQLElasticPools\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers/elasticPools\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Sql/servers/elasticPools/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": []\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('fullName')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#79": "{\n \"name\": \"Deploy-Diagnostics-SQLMI\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/managedInstances\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Sql/managedInstances/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"ResourceUsageStats\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SQLSecurityAuditEvents\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DevOpsOperationsAudit\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#70": "{\n \"name\": \"Deploy-Diagnostics-MediaService\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Media/mediaServices\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Media/mediaServices/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"KeyDeliveryRequests\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#71": "{\n \"name\": \"Deploy-Diagnostics-MlWorkspace\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.MachineLearningServices/workspaces/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"enabled\": false,\n \"days\": 0\n }\n }\n ],\n \"logs\": [\n {\n \"category\": \"AmlComputeClusterEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AmlComputeClusterNodeEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AmlComputeJobEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AmlComputeCpuGpuUtilization\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AmlRunStatusChangedEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ModelsChangeEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ModelsReadEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ModelsActionEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DeploymentReadEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DeploymentEventACI\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DeploymentEventAKS\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"InferencingOperationAKS\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"InferencingOperationACI\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DataLabelChangeEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DataLabelReadEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ComputeInstanceEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DataStoreChangeEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DataStoreReadEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DataSetChangeEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DataSetReadEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"PipelineChangeEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"PipelineReadEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"RunEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"RunReadEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"EnvironmentChangeEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"EnvironmentReadEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#72": "{\n \"name\": \"Deploy-Diagnostics-MySQL\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMySQL/servers\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DBforMySQL/servers/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"MySqlSlowLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"MySqlAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#73": "{\n \"name\": \"Deploy-Diagnostics-NetworkSecurityGroups\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [],\n \"logs\": [\n {\n \"category\": \"NetworkSecurityGroupEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"NetworkSecurityGroupRuleCounter\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#74": "{\n \"name\": \"Deploy-Diagnostics-NIC\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkInterfaces\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/networkInterfaces/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"timeGrain\": null,\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"enabled\": false,\n \"days\": 0\n }\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#75": "{\n \"name\": \"Deploy-Diagnostics-PostgreSQL\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"2.0.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"anyOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/flexibleServers\"\n },\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"resourceType\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"condition\": \"[[startsWith(parameters('resourceType'),'Microsoft.DBforPostgreSQL/flexibleServers')]\",\n \"type\": \"Microsoft.DBforPostgreSQL/flexibleServers/providers/diagnosticSettings\",\n \"apiVersion\": \"2021-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"PostgreSQLLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n },\n {\n \"condition\": \"[[startsWith(parameters('resourceType'),'Microsoft.DBforPostgreSQL/servers')]\",\n \"type\": \"Microsoft.DBforPostgreSQL/servers/providers/diagnosticSettings\",\n \"apiVersion\": \"2021-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"PostgreSQLLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"QueryStoreRuntimeStatistics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"QueryStoreWaitStatistics\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"resourceType\": {\n \"value\": \"[[field('type')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#76": "{\n \"name\": \"Deploy-Diagnostics-PowerBIEmbedded\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.PowerBIDedicated/capacities\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.PowerBIDedicated/capacities/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"Engine\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#77": "{\n \"name\": \"Deploy-Diagnostics-RedisCache\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Cache/redis\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Cache/redis/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": []\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#78": "{\n \"name\": \"Deploy-Diagnostics-Relay\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Relay/namespaces\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Relay/namespaces/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"HybridConnectionsEvent\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#79": "{\n \"name\": \"Deploy-Diagnostics-SignalR\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.SignalRService/SignalR\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.SignalRService/SignalR/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"AllLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", "$fxv#8": "{\n \"name\": \"Audit-AzureHybridBenefit\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Audit AHUB for eligible VMs\",\n \"mode\": \"All\",\n \"description\": \"Optimize cost by enabling Azure Hybrid Benefit. Leverage this Policy definition as a cost control to reveal Virtual Machines not using AHUB.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cost Optimization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"in\": [\n \"Microsoft.Compute/virtualMachines\",\n \"Microsoft.Compute/virtualMachineScaleSets\"\n ]\n },\n {\n \"equals\": \"MicrosoftWindowsServer\",\n \"field\": \"Microsoft.Compute/imagePublisher\"\n },\n {\n \"equals\": \"WindowsServer\",\n \"field\": \"Microsoft.Compute/imageOffer\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Compute/imageSKU\",\n \"like\": \"2008-R2-SP1*\"\n },\n {\n \"field\": \"Microsoft.Compute/imageSKU\",\n \"like\": \"2012-*\"\n },\n {\n \"field\": \"Microsoft.Compute/imageSKU\",\n \"like\": \"2016-*\"\n },\n {\n \"field\": \"Microsoft.Compute/imageSKU\",\n \"like\": \"2019-*\"\n },\n {\n \"field\": \"Microsoft.Compute/imageSKU\",\n \"like\": \"2022-*\"\n }\n ]\n },\n {\n \"field\": \"Microsoft.Compute/licenseType\",\n \"notEquals\": \"Windows_Server\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", - "$fxv#80": "{\n \"name\": \"Deploy-Diagnostics-TimeSeriesInsights\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.TimeSeriesInsights/environments\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.TimeSeriesInsights/environments/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"Ingress\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Management\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#81": "{\n \"name\": \"Deploy-Diagnostics-TrafficManager\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/trafficManagerProfiles\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/trafficManagerProfiles/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"ProbeHealthStatusEvents\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#82": "{\n \"name\": \"Deploy-Diagnostics-VirtualNetwork\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/virtualNetworks/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"enabled\": false,\n \"days\": 0\n }\n }\n ],\n \"logs\": [\n {\n \"category\": \"VMProtectionAlerts\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#83": "{\n \"name\": \"Deploy-Diagnostics-VM\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Compute/virtualMachines/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"enabled\": false,\n \"days\": 0\n }\n }\n ],\n \"logs\": []\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#84": "{\n \"name\": \"Deploy-Diagnostics-VMSS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachineScaleSets\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Compute/virtualMachineScaleSets/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"enabled\": false,\n \"days\": 0\n }\n }\n ],\n \"logs\": []\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#85": "{\n \"name\": \"Deploy-Diagnostics-VNetGW\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.1-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworkGateways\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/virtualNetworkGateways/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"GatewayDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"IKEDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"P2SDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"RouteDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"TunnelDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#86": "{\n \"name\": \"Deploy-Diagnostics-WebServerFarm\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/serverfarms\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Web/serverfarms/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": []\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#87": "{\n \"name\": \"Deploy-Diagnostics-Website\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"value\": \"[[field('kind')]\",\n \"notContains\": \"functionapp\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"[[parameters('metricsEnabled')]\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n },\n \"serverFarmId\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {\n \"logs\": {\n \"premiumTierLogs\": [\n {\n \"category\": \"AppServiceAntivirusScanAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceHTTPLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceConsoleLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceAppLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceFileAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceIPSecAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServicePlatformLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ],\n \"otherTierLogs\": [ \n {\n \"category\": \"AppServiceHTTPLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceConsoleLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceAppLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceIPSecAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServicePlatformLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Web/sites/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": \"[[if(startsWith(reference(parameters('serverFarmId'), '2021-03-01', 'Full').sku.tier, 'Premium'), variables('logs').premiumTierLogs, variables('logs').otherTierLogs)]\"\n }\n }\n ],\n \"outputs\": {\n \"policy\": {\n \"type\": \"string\",\n \"value\": \"[[concat(parameters('logAnalytics'), 'configured for diagnostic logs for ', ': ', parameters('resourceName'))]\"\n }\n }\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n },\n \"serverFarmId\": {\n \"value\": \"[[field('Microsoft.Web/sites/serverFarmId')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#88": "{\n \"name\": \"Deploy-Diagnostics-WVDAppGroup\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.1-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DesktopVirtualization/applicationGroups\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DesktopVirtualization/applicationGroups/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Checkpoint\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Error\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Management\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#89": "{\n \"name\": \"Deploy-Diagnostics-WVDHostPools\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.3.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DesktopVirtualization/hostpools\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DesktopVirtualization/hostpools/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Checkpoint\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Error\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Management\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Connection\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"HostRegistration\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AgentHealthStatus\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"NetworkData\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SessionHostManagement\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ConnectionGraphicsData\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#9": "{\n \"name\": \"Deny-AppGW-Without-WAF\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Application Gateway should be deployed with WAF enabled\",\n \"description\": \"This policy enables you to restrict that Application Gateways is always deployed with WAF enabled\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/applicationGateways\"\n },\n {\n \"field\": \"Microsoft.Network/applicationGateways/sku.name\",\n \"notequals\": \"WAF_v2\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}\n", - "$fxv#90": "{\n \"name\": \"Deploy-Diagnostics-WVDWorkspace\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.1-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DesktopVirtualization/workspaces\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DesktopVirtualization/workspaces/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Checkpoint\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Error\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Management\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Feed\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#91": "{\n \"name\": \"Deploy-FirewallPolicy\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy Azure Firewall Manager policy in the subscription\",\n \"description\": \"Deploys Azure Firewall Manager policy in subscription where the policy is assigned.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"fwpolicy\": {\n \"type\": \"Object\",\n \"metadata\": {\n \"displayName\": \"fwpolicy\",\n \"description\": \"Object describing Azure Firewall Policy\"\n },\n \"defaultValue\": {}\n },\n \"fwPolicyRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"fwPolicyRegion\",\n \"description\": \"Select Azure region for Azure Firewall Policy\",\n \"strongType\": \"location\"\n }\n },\n \"rgName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"rgName\",\n \"description\": \"Provide name for resource group.\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/firewallPolicies\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"resourceGroup\",\n \"resourceGroupName\": \"[[parameters('rgName')]\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"rgName\": {\n \"value\": \"[[parameters('rgName')]\"\n },\n \"fwPolicy\": {\n \"value\": \"[[parameters('fwPolicy')]\"\n },\n \"fwPolicyRegion\": {\n \"value\": \"[[parameters('fwPolicyRegion')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"rgName\": {\n \"type\": \"String\"\n },\n \"fwPolicy\": {\n \"type\": \"object\"\n },\n \"fwPolicyRegion\": {\n \"type\": \"String\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"apiVersion\": \"2018-05-01\",\n \"name\": \"[[parameters('rgName')]\",\n \"location\": \"[[deployment().location]\",\n \"properties\": {}\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2018-05-01\",\n \"name\": \"fwpolicies\",\n \"resourceGroup\": \"[[parameters('rgName')]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {},\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/firewallPolicies\",\n \"apiVersion\": \"2019-09-01\",\n \"name\": \"[[parameters('fwpolicy').firewallPolicyName]\",\n \"location\": \"[[parameters('fwpolicy').location]\",\n \"dependsOn\": [],\n \"tags\": {},\n \"properties\": {},\n \"resources\": [\n {\n \"type\": \"ruleGroups\",\n \"apiVersion\": \"2019-09-01\",\n \"name\": \"[[parameters('fwpolicy').ruleGroups.name]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Network/firewallPolicies',parameters('fwpolicy').firewallPolicyName)]\"\n ],\n \"properties\": {\n \"priority\": \"[[parameters('fwpolicy').ruleGroups.properties.priority]\",\n \"rules\": \"[[parameters('fwpolicy').ruleGroups.properties.rules]\"\n }\n }\n ]\n }\n ],\n \"outputs\": {}\n }\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#92": "{\n \"name\": \"Deploy-MySQL-sslEnforcement\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Azure Database for MySQL server deploy a specific min TLS version and enforce SSL.\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Enable or disable the execution of the policy minimum TLS version Azure Database for MySQL server\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMySQL/servers\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DBforMySQL/servers/sslEnforcement\",\n \"notEquals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/minimalTlsVersion\",\n \"less\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.DBforMySQL/servers\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.DBforMySQL/servers/sslEnforcement\",\n \"equals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/minimalTlsVersion\",\n \"equals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DBforMySQL/servers\",\n \"apiVersion\": \"2017-12-01\",\n \"name\": \"[[concat(parameters('resourceName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"sslEnforcement\": \"[[if(equals(parameters('minimalTlsVersion'), 'TLSEnforcementDisabled'),'Disabled', 'Enabled')]\",\n \"minimalTlsVersion\": \"[[parameters('minimalTlsVersion')]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('minimalTlsVersion')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#93": "{\n \"name\": \"Deploy-Nsg-FlowLogs-to-LA\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Deploys NSG flow logs and traffic analytics to Log Analytics\",\n \"description\": \"[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to Log Analytics with a specified retention period. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html\",\n \"metadata\": {\n \"deprecated\": true,\n \"supersededBy\": \"e920df7f-9a64-4066-9b58-52684c02a091\",\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"retention\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Retention\"\n },\n \"defaultValue\": 5\n },\n \"interval\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Traffic Analytics processing interval mins (10/60)\"\n },\n \"defaultValue\": 60\n },\n \"workspace\": {\n \"type\": \"String\",\n \"metadata\": {\n \"strongType\": \"omsWorkspace\",\n \"displayName\": \"Resource ID of Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\"\n },\n \"defaultValue\": \"\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/networkWatchers/flowlogs\",\n \"name\": \"[[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id'))), 'null/null', concat(split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[8], '/', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[10]))]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/networkWatchers/flowLogs/enabled\",\n \"equals\": \"true\"\n }\n ]\n },\n \"existenceScope\": \"resourceGroup\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\",\n \"/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12\",\n \"/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\",\n \"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\",\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"resourceGroupName\": \"[[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), 'NetworkWatcherRG', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[4])]\",\n \"deploymentScope\": \"subscription\",\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"networkSecurityGroup\": {\n \"value\": \"[[field('id')]\"\n },\n \"workspace\": {\n \"value\": \"[[parameters('workspace')]\"\n },\n \"retention\": {\n \"value\": \"[[parameters('retention')]\"\n },\n \"interval\": {\n \"value\": \"[[parameters('interval')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"String\"\n },\n \"networkSecurityGroup\": {\n \"type\": \"String\"\n },\n \"workspace\": {\n \"type\": \"String\"\n },\n \"retention\": {\n \"type\": \"int\"\n },\n \"interval\": {\n \"type\": \"int\"\n },\n \"time\": {\n \"type\": \"String\",\n \"defaultValue\": \"[[utcNow()]\"\n }\n },\n \"variables\": {\n \"resourceGroupName\": \"[[split(parameters('networkSecurityGroup'), '/')[4]]\",\n \"securityGroupName\": \"[[split(parameters('networkSecurityGroup'), '/')[8]]\",\n \"storageAccountName\": \"[[concat('es', uniqueString(variables('securityGroupName'), parameters('time')))]\"\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"[[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]\",\n \"resourceGroup\": \"[[variables('resourceGroupName')]\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"resources\": [\n {\n \"type\": \"Microsoft.Storage/storageAccounts\",\n \"apiVersion\": \"2019-06-01\",\n \"name\": \"[[variables('storageAccountName')]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {},\n \"kind\": \"StorageV2\",\n \"sku\": {\n \"name\": \"Standard_LRS\",\n \"tier\": \"Standard\"\n }\n }\n ]\n }\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"[[concat('NetworkWatcherRG', '.', variables('securityGroupName'))]\",\n \"resourceGroup\": \"NetworkWatcherRG\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/networkWatchers\",\n \"apiVersion\": \"2020-05-01\",\n \"name\": \"[[concat('NetworkWatcher_', toLower(parameters('location')))]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {},\n \"resources\": [\n {\n \"type\": \"flowLogs\",\n \"apiVersion\": \"2019-11-01\",\n \"name\": \"[[concat(variables('securityGroupName'), '-Network-flowlog')]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"enabled\": true,\n \"format\": {\n \"type\": \"JSON\",\n \"version\": 2\n },\n \"retentionPolicy\": {\n \"days\": \"[[parameters('retention')]\",\n \"enabled\": true\n },\n \"flowAnalyticsConfiguration\": {\n \"networkWatcherFlowAnalyticsConfiguration\": {\n \"enabled\": true,\n \"trafficAnalyticsInterval\": \"[[parameters('interval')]\",\n \"workspaceResourceId\": \"[[parameters('workspace')]\"\n }\n },\n \"storageId\": \"[[concat(subscription().id, '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]\",\n \"targetResourceId\": \"[[parameters('networkSecurityGroup')]\"\n },\n \"dependsOn\": [\n \"[[concat('NetworkWatcher_', toLower(parameters('location')))]\"\n ]\n }\n ]\n }\n ]\n }\n },\n \"dependsOn\": [\n \"[[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]\"\n ]\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}", - "$fxv#94": "{\n \"name\": \"Deploy-Nsg-FlowLogs\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Deploys NSG flow logs and traffic analytics\",\n \"description\": \"[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to a storageaccountid with a specified retention period. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html\",\n \"metadata\": {\n \"deprecated\": true,\n \"supersededBy\": \"e920df7f-9a64-4066-9b58-52684c02a091\",\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"retention\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Retention\"\n },\n \"defaultValue\": 5\n },\n \"storageAccountResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Storage Account Resource Id\",\n \"strongType\": \"Microsoft.Storage/storageAccounts\"\n }\n },\n \"trafficAnalyticsInterval\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Traffic Analytics processing interval mins (10/60)\"\n },\n \"defaultValue\": 60\n },\n \"flowAnalyticsEnabled\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable Traffic Analytics\"\n },\n \"defaultValue\": false\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"strongType\": \"omsWorkspace\",\n \"displayName\": \"Resource ID of Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\"\n },\n \"defaultValue\": \"\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/networkWatchers/flowLogs\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"resourceGroupName\": \"NetworkWatcherRG\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/networkWatchers/flowLogs/enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Network/networkWatchers/flowLogs/flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled\",\n \"equals\": \"[[parameters('flowAnalyticsEnabled')]\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"networkSecurityGroupName\": {\n \"value\": \"[[field('name')]\"\n },\n \"resourceGroupName\": {\n \"value\": \"[[resourceGroup().name]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"storageAccountResourceId\": {\n \"value\": \"[[parameters('storageAccountResourceId')]\"\n },\n \"retention\": {\n \"value\": \"[[parameters('retention')]\"\n },\n \"flowAnalyticsEnabled\": {\n \"value\": \"[[parameters('flowAnalyticsEnabled')]\"\n },\n \"trafficAnalyticsInterval\": {\n \"value\": \"[[parameters('trafficAnalyticsInterval')]\"\n },\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"networkSecurityGroupName\": {\n \"type\": \"String\"\n },\n \"resourceGroupName\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"storageAccountResourceId\": {\n \"type\": \"String\"\n },\n \"retention\": {\n \"type\": \"int\"\n },\n \"flowAnalyticsEnabled\": {\n \"type\": \"bool\"\n },\n \"trafficAnalyticsInterval\": {\n \"type\": \"int\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/networkWatchers/flowLogs\",\n \"apiVersion\": \"2020-05-01\",\n \"name\": \"[[take(concat('NetworkWatcher_', toLower(parameters('location')), '/', parameters('networkSecurityGroupName'), '-', parameters('resourceGroupName'), '-flowlog' ), 80)]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"targetResourceId\": \"[[resourceId(parameters('resourceGroupName'), 'Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]\",\n \"storageId\": \"[[parameters('storageAccountResourceId')]\",\n \"enabled\": true,\n \"retentionPolicy\": {\n \"enabled\": true,\n \"days\": \"[[parameters('retention')]\"\n },\n \"format\": {\n \"type\": \"JSON\",\n \"version\": 2\n },\n \"flowAnalyticsConfiguration\": {\n \"networkWatcherFlowAnalyticsConfiguration\": {\n \"enabled\": \"[[bool(parameters('flowAnalyticsEnabled'))]\",\n \"trafficAnalyticsInterval\": \"[[parameters('trafficAnalyticsInterval')]\",\n \"workspaceId\": \"[[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').properties.customerId, json('null')) ]\",\n \"workspaceRegion\": \"[[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').location, json('null')) ]\",\n \"workspaceResourceId\": \"[[if(not(empty(parameters('logAnalytics'))), parameters('logAnalytics'), json('null'))]\"\n }\n }\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#95": "{\n \"name\": \"Deploy-PostgreSQL-sslEnforcement\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL \",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect Azure Database for PostgreSQL server\",\n \"description\": \"Enable or disable the execution of the policy minimum TLS version Azure Database for PostgreSQL server\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version for PostgreSQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for PostgreSQL server to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"notEquals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\n \"less\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.DBforPostgreSQL/servers\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"equals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\n \"equals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n },\n \"name\": \"current\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DBforPostgreSQL/servers\",\n \"apiVersion\": \"2017-12-01\",\n \"name\": \"[[concat(parameters('resourceName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"sslEnforcement\": \"[[if(equals(parameters('minimalTlsVersion'), 'TLSEnforcementDisabled'),'Disabled', 'Enabled')]\",\n \"minimalTlsVersion\": \"[[parameters('minimalTlsVersion')]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('minimalTlsVersion')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#96": "{\n \"name\": \"Deploy-Sql-AuditingSettings\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy SQL database auditing settings\",\n \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers/databases\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/servers/databases/auditingSettings\",\n \"name\": \"default\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Sql/servers/databases/auditingSettings/state\",\n \"equals\": \"enabled\"\n },\n {\n \"field\": \"Microsoft.Sql/servers/databases/auditingSettings/isAzureMonitorTargetEnabled\",\n \"equals\": \"true\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"String\"\n },\n \"sqlServerName\": {\n \"type\": \"String\"\n },\n \"sqlServerDataBaseName\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\n \"type\": \"Microsoft.Sql/servers/databases/auditingSettings\",\n \"apiVersion\": \"2017-03-01-preview\",\n \"properties\": {\n \"state\": \"enabled\",\n \"auditActionsAndGroups\": [\n \"BATCH_COMPLETED_GROUP\",\n \"DATABASE_OBJECT_CHANGE_GROUP\",\n \"SCHEMA_OBJECT_CHANGE_GROUP\",\n \"BACKUP_RESTORE_GROUP\",\n \"APPLICATION_ROLE_CHANGE_PASSWORD_GROUP\",\n \"DATABASE_PRINCIPAL_CHANGE_GROUP\",\n \"DATABASE_PRINCIPAL_IMPERSONATION_GROUP\",\n \"DATABASE_ROLE_MEMBER_CHANGE_GROUP\",\n \"USER_CHANGE_PASSWORD_GROUP\",\n \"DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP\",\n \"DATABASE_OBJECT_PERMISSION_CHANGE_GROUP\",\n \"DATABASE_PERMISSION_CHANGE_GROUP\",\n \"SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP\",\n \"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP\",\n \"FAILED_DATABASE_AUTHENTICATION_GROUP\"\n ],\n \"isAzureMonitorTargetEnabled\": true\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"sqlServerName\": {\n \"value\": \"[[first(split(field('fullname'),'/'))]\"\n },\n \"sqlServerDataBaseName\": {\n \"value\": \"[[field('name')]\"\n }\n }\n }\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"\n ]\n }\n }\n }\n }\n}\n", - "$fxv#97": "{\n \"name\": \"Deploy-SQL-minTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"SQL servers deploys a specific min TLS version requirement.\",\n \"description\": \"Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect SQL servers\",\n \"description\": \"Enable or disable the execution of the policy minimum TLS version SQL servers\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version for SQL server\",\n \"description\": \"Select version minimum TLS version SQL servers to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers\"\n },\n {\n \"field\": \"Microsoft.Sql/servers/minimalTlsVersion\",\n \"less\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/servers\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Sql/servers/minimalTlsVersion\",\n \"equals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n },\n \"name\": \"current\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Sql/servers\",\n \"apiVersion\": \"2019-06-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"minimalTlsVersion\": \"[[parameters('minimalTlsVersion')]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('minimalTlsVersion')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#98": "{\n \"name\": \"Deploy-Sql-SecurityAlertPolicies\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\",\n \"metadata\": {\n \"version\": \"1.1.1\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"emailAddresses\":{\n \"type\":\"Array\",\n \"defaultValue\":[\n \"admin@contoso.com\",\n \"admin@fabrikam.com\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers/databases\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/servers/databases/securityAlertPolicies\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Sql/servers/databases/securityAlertPolicies/state\",\n \"equals\": \"Enabled\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"String\"\n },\n \"sqlServerName\": {\n \"type\": \"String\"\n },\n \"sqlServerDataBaseName\": {\n \"type\": \"String\"\n },\n \"emailAddresses\": {\n \"type\": \"Array\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\n \"type\": \"Microsoft.Sql/servers/databases/securityAlertPolicies\",\n \"apiVersion\": \"2018-06-01-preview\",\n \"properties\": {\n \"state\": \"Enabled\",\n \"disabledAlerts\": [\n \"\"\n ],\n \"emailAddresses\": \"[[parameters('emailAddresses')]\",\n \"emailAccountAdmins\": true,\n \"storageEndpoint\": null,\n \"storageAccountAccessKey\": \"\",\n \"retentionDays\": 0\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"sqlServerName\": {\n \"value\": \"[[first(split(field('fullname'),'/'))]\"\n },\n \"sqlServerDataBaseName\": {\n \"value\": \"[[field('name')]\"\n },\n \"emailAddresses\":{\n \"value\": \"[[parameters('emailAddresses')]\"\n }\n }\n }\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"\n ]\n }\n }\n }\n }\n}\n", - "$fxv#99": "{\n \"name\": \"Deploy-Sql-Tde\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Deploy SQL Database Transparent Data Encryption\",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment. Please use this policy instead https://www.azadvertizer.net/azpolicyadvertizer/86a912f6-9a06-4e26-b447-11b16ba8659f.html\",\n \"metadata\": {\n \"deprecated\": true,\n \"supersededBy\": \"86a912f6-9a06-4e26-b447-11b16ba8659f\",\n \"version\": \"1.1.1-deprecated\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"excludedDatabases\": {\n \"type\": \"Array\",\n \"metadata\":{\n \"displayName\": \"Excluded Databases\",\n \"description\": \"Array of databases that are excluded from this policy\"\n },\n \"defaultValue\": [\n \"master\",\n \"model\",\n \"tempdb\",\n \"msdb\",\n \"resource\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers/databases\"\n },\n {\n \"field\": \"name\",\n \"notIn\": \"[[parameters('excludedDatabases')]\"\n\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/servers/databases/transparentDataEncryption\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Sql/transparentDataEncryption.status\",\n \"equals\": \"Enabled\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"String\"\n },\n \"sqlServerName\": {\n \"type\": \"String\"\n },\n \"sqlServerDataBaseName\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/current')]\",\n \"type\": \"Microsoft.Sql/servers/databases/transparentDataEncryption\",\n \"apiVersion\": \"2014-04-01\",\n \"properties\": {\n \"status\": \"Enabled\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"sqlServerName\": {\n \"value\": \"[[first(split(field('fullname'),'/'))]\"\n },\n \"sqlServerDataBaseName\": {\n \"value\": \"[[field('name')]\"\n }\n }\n }\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"\n ]\n }\n }\n }\n }\n}", + "$fxv#80": "{\n \"name\": \"Deploy-Diagnostics-SQLElasticPools\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers/elasticPools\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Sql/servers/elasticPools/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": []\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('fullName')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#81": "{\n \"name\": \"Deploy-Diagnostics-SQLMI\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/managedInstances\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Sql/managedInstances/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"ResourceUsageStats\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SQLSecurityAuditEvents\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"DevOpsOperationsAudit\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#82": "{\n \"name\": \"Deploy-Diagnostics-TimeSeriesInsights\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.TimeSeriesInsights/environments\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.TimeSeriesInsights/environments/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"Ingress\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Management\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#83": "{\n \"name\": \"Deploy-Diagnostics-TrafficManager\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/trafficManagerProfiles\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/trafficManagerProfiles/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"ProbeHealthStatusEvents\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#84": "{\n \"name\": \"Deploy-Diagnostics-VirtualNetwork\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/virtualNetworks/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"enabled\": false,\n \"days\": 0\n }\n }\n ],\n \"logs\": [\n {\n \"category\": \"VMProtectionAlerts\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#85": "{\n \"name\": \"Deploy-Diagnostics-VM\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachines\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Compute/virtualMachines/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"enabled\": false,\n \"days\": 0\n }\n }\n ],\n \"logs\": []\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#86": "{\n \"name\": \"Deploy-Diagnostics-VMSS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Compute/virtualMachineScaleSets\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Compute/virtualMachineScaleSets/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"enabled\": false,\n \"days\": 0\n }\n }\n ],\n \"logs\": []\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#87": "{\n \"name\": \"Deploy-Diagnostics-VNetGW\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.1-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworkGateways\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/virtualNetworkGateways/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": [\n {\n \"category\": \"GatewayDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"IKEDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"P2SDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"RouteDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"TunnelDiagnosticLog\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#88": "{\n \"name\": \"Deploy-Diagnostics-WebServerFarm\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/serverfarms\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Web/serverfarms/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": []\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#89": "{\n \"name\": \"Deploy-Diagnostics-Website\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"metricsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable metrics\",\n \"description\": \"Whether to enable metrics stream to the Log Analytics workspace - True or False\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Web/sites\"\n },\n {\n \"value\": \"[[field('kind')]\",\n \"notContains\": \"functionapp\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\n \"equals\": \"[[parameters('metricsEnabled')]\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"metricsEnabled\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n },\n \"serverFarmId\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {\n \"logs\": {\n \"premiumTierLogs\": [\n {\n \"category\": \"AppServiceAntivirusScanAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceHTTPLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceConsoleLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceAppLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceFileAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceIPSecAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServicePlatformLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ],\n \"otherTierLogs\": [ \n {\n \"category\": \"AppServiceHTTPLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceConsoleLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceAppLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServiceIPSecAuditLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AppServicePlatformLogs\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Web/sites/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"metrics\": [\n {\n \"category\": \"AllMetrics\",\n \"enabled\": \"[[parameters('metricsEnabled')]\",\n \"retentionPolicy\": {\n \"days\": 0,\n \"enabled\": false\n },\n \"timeGrain\": null\n }\n ],\n \"logs\": \"[[if(startsWith(reference(parameters('serverFarmId'), '2021-03-01', 'Full').sku.tier, 'Premium'), variables('logs').premiumTierLogs, variables('logs').otherTierLogs)]\"\n }\n }\n ],\n \"outputs\": {\n \"policy\": {\n \"type\": \"string\",\n \"value\": \"[[concat(parameters('logAnalytics'), 'configured for diagnostic logs for ', ': ', parameters('resourceName'))]\"\n }\n }\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"[[parameters('metricsEnabled')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n },\n \"serverFarmId\": {\n \"value\": \"[[field('Microsoft.Web/sites/serverFarmId')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#9": "{\n \"name\": \"Audit-Tags-Mandatory\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Audit for mandatory tags on resources\",\n \"mode\": \"All\",\n \"description\": \"Audits resources to ensure they have required tags based on tag array. Does not apply to resource groups.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Tags\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"mandatoryTags\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Array of mandatory tags\",\n \"description\": \"Array of mandatory tags that must be present on the resource group. The array should contain semicolon separated list of the tag names.\"\n },\n \"defaultValue\": [\n \"owner\",\n \"costcenter\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"not\": {\n \"count\": {\n \"value\": \"[[parameters('mandatoryTags')]\",\n \"name\": \"tagcount\",\n \"where\": {\n \"field\": \"tags\",\n \"containsKey\": \"[[current('tagcount')]\"\n }\n },\n \"equals\": \"[[length(parameters('mandatoryTags'))]\"\n }\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", + "$fxv#90": "{\n \"name\": \"Deploy-Diagnostics-WVDAppGroup\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.1-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DesktopVirtualization/applicationGroups\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DesktopVirtualization/applicationGroups/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Checkpoint\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Error\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Management\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#91": "{\n \"name\": \"Deploy-Diagnostics-WVDHostPools\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.3.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DesktopVirtualization/hostpools\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DesktopVirtualization/hostpools/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Checkpoint\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Error\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Management\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Connection\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"HostRegistration\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"AgentHealthStatus\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"NetworkData\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"SessionHostManagement\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"ConnectionGraphicsData\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#92": "{\n \"name\": \"Deploy-Diagnostics-WVDWorkspace\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"1.1.1-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"logsEnabled\": {\n \"type\": \"String\",\n \"defaultValue\": \"True\",\n \"allowedValues\": [\n \"True\",\n \"False\"\n ],\n \"metadata\": {\n \"displayName\": \"Enable logs\",\n \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DesktopVirtualization/workspaces\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Insights/diagnosticSettings\",\n \"name\": \"[[parameters('profileName')]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n \"equals\": \"[[parameters('logAnalytics')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\"\n },\n \"logsEnabled\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DesktopVirtualization/workspaces/providers/diagnosticSettings\",\n \"apiVersion\": \"2017-05-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"workspaceId\": \"[[parameters('logAnalytics')]\",\n \"logs\": [\n {\n \"category\": \"Checkpoint\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Error\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Management\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n },\n {\n \"category\": \"Feed\",\n \"enabled\": \"[[parameters('logsEnabled')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"logsEnabled\": {\n \"value\": \"[[parameters('logsEnabled')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#93": "{\n \"name\": \"Deploy-FirewallPolicy\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy Azure Firewall Manager policy in the subscription\",\n \"description\": \"Deploys Azure Firewall Manager policy in subscription where the policy is assigned.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"fwpolicy\": {\n \"type\": \"Object\",\n \"metadata\": {\n \"displayName\": \"fwpolicy\",\n \"description\": \"Object describing Azure Firewall Policy\"\n },\n \"defaultValue\": {}\n },\n \"fwPolicyRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"fwPolicyRegion\",\n \"description\": \"Select Azure region for Azure Firewall Policy\",\n \"strongType\": \"location\"\n }\n },\n \"rgName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"rgName\",\n \"description\": \"Provide name for resource group.\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/firewallPolicies\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"resourceGroup\",\n \"resourceGroupName\": \"[[parameters('rgName')]\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"rgName\": {\n \"value\": \"[[parameters('rgName')]\"\n },\n \"fwPolicy\": {\n \"value\": \"[[parameters('fwPolicy')]\"\n },\n \"fwPolicyRegion\": {\n \"value\": \"[[parameters('fwPolicyRegion')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"rgName\": {\n \"type\": \"String\"\n },\n \"fwPolicy\": {\n \"type\": \"object\"\n },\n \"fwPolicyRegion\": {\n \"type\": \"String\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"apiVersion\": \"2018-05-01\",\n \"name\": \"[[parameters('rgName')]\",\n \"location\": \"[[deployment().location]\",\n \"properties\": {}\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2018-05-01\",\n \"name\": \"fwpolicies\",\n \"resourceGroup\": \"[[parameters('rgName')]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {},\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/firewallPolicies\",\n \"apiVersion\": \"2019-09-01\",\n \"name\": \"[[parameters('fwpolicy').firewallPolicyName]\",\n \"location\": \"[[parameters('fwpolicy').location]\",\n \"dependsOn\": [],\n \"tags\": {},\n \"properties\": {},\n \"resources\": [\n {\n \"type\": \"ruleGroups\",\n \"apiVersion\": \"2019-09-01\",\n \"name\": \"[[parameters('fwpolicy').ruleGroups.name]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Network/firewallPolicies',parameters('fwpolicy').firewallPolicyName)]\"\n ],\n \"properties\": {\n \"priority\": \"[[parameters('fwpolicy').ruleGroups.properties.priority]\",\n \"rules\": \"[[parameters('fwpolicy').ruleGroups.properties.rules]\"\n }\n }\n ]\n }\n ],\n \"outputs\": {}\n }\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#94": "{\n \"name\": \"Deploy-MySQL-sslEnforcement\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Azure Database for MySQL server deploy a specific min TLS version and enforce SSL.\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Enable or disable the execution of the policy minimum TLS version Azure Database for MySQL server\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforMySQL/servers\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DBforMySQL/servers/sslEnforcement\",\n \"notEquals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/minimalTlsVersion\",\n \"less\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.DBforMySQL/servers\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.DBforMySQL/servers/sslEnforcement\",\n \"equals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforMySQL/servers/minimalTlsVersion\",\n \"equals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DBforMySQL/servers\",\n \"apiVersion\": \"2017-12-01\",\n \"name\": \"[[concat(parameters('resourceName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"sslEnforcement\": \"[[if(equals(parameters('minimalTlsVersion'), 'TLSEnforcementDisabled'),'Disabled', 'Enabled')]\",\n \"minimalTlsVersion\": \"[[parameters('minimalTlsVersion')]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('minimalTlsVersion')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#95": "{\n \"name\": \"Deploy-Nsg-FlowLogs-to-LA\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Deploys NSG flow logs and traffic analytics to Log Analytics\",\n \"description\": \"[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to Log Analytics with a specified retention period. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html\",\n \"metadata\": {\n \"deprecated\": true,\n \"supersededBy\": \"e920df7f-9a64-4066-9b58-52684c02a091\",\n \"version\": \"1.1.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"retention\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Retention\"\n },\n \"defaultValue\": 5\n },\n \"interval\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Traffic Analytics processing interval mins (10/60)\"\n },\n \"defaultValue\": 60\n },\n \"workspace\": {\n \"type\": \"String\",\n \"metadata\": {\n \"strongType\": \"omsWorkspace\",\n \"displayName\": \"Resource ID of Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\"\n },\n \"defaultValue\": \"\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/networkWatchers/flowlogs\",\n \"name\": \"[[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id'))), 'null/null', concat(split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[8], '/', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[10]))]\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/networkWatchers/flowLogs/enabled\",\n \"equals\": \"true\"\n }\n ]\n },\n \"existenceScope\": \"resourceGroup\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\",\n \"/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12\",\n \"/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\",\n \"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\",\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"resourceGroupName\": \"[[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), 'NetworkWatcherRG', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[4])]\",\n \"deploymentScope\": \"subscription\",\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"networkSecurityGroup\": {\n \"value\": \"[[field('id')]\"\n },\n \"workspace\": {\n \"value\": \"[[parameters('workspace')]\"\n },\n \"retention\": {\n \"value\": \"[[parameters('retention')]\"\n },\n \"interval\": {\n \"value\": \"[[parameters('interval')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"String\"\n },\n \"networkSecurityGroup\": {\n \"type\": \"String\"\n },\n \"workspace\": {\n \"type\": \"String\"\n },\n \"retention\": {\n \"type\": \"int\"\n },\n \"interval\": {\n \"type\": \"int\"\n },\n \"time\": {\n \"type\": \"String\",\n \"defaultValue\": \"[[utcNow()]\"\n }\n },\n \"variables\": {\n \"resourceGroupName\": \"[[split(parameters('networkSecurityGroup'), '/')[4]]\",\n \"securityGroupName\": \"[[split(parameters('networkSecurityGroup'), '/')[8]]\",\n \"storageAccountName\": \"[[concat('es', uniqueString(variables('securityGroupName'), parameters('time')))]\"\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"[[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]\",\n \"resourceGroup\": \"[[variables('resourceGroupName')]\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"resources\": [\n {\n \"type\": \"Microsoft.Storage/storageAccounts\",\n \"apiVersion\": \"2019-06-01\",\n \"name\": \"[[variables('storageAccountName')]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {},\n \"kind\": \"StorageV2\",\n \"sku\": {\n \"name\": \"Standard_LRS\",\n \"tier\": \"Standard\"\n }\n }\n ]\n }\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"[[concat('NetworkWatcherRG', '.', variables('securityGroupName'))]\",\n \"resourceGroup\": \"NetworkWatcherRG\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/networkWatchers\",\n \"apiVersion\": \"2020-05-01\",\n \"name\": \"[[concat('NetworkWatcher_', toLower(parameters('location')))]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {},\n \"resources\": [\n {\n \"type\": \"flowLogs\",\n \"apiVersion\": \"2019-11-01\",\n \"name\": \"[[concat(variables('securityGroupName'), '-Network-flowlog')]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"enabled\": true,\n \"format\": {\n \"type\": \"JSON\",\n \"version\": 2\n },\n \"retentionPolicy\": {\n \"days\": \"[[parameters('retention')]\",\n \"enabled\": true\n },\n \"flowAnalyticsConfiguration\": {\n \"networkWatcherFlowAnalyticsConfiguration\": {\n \"enabled\": true,\n \"trafficAnalyticsInterval\": \"[[parameters('interval')]\",\n \"workspaceResourceId\": \"[[parameters('workspace')]\"\n }\n },\n \"storageId\": \"[[concat(subscription().id, '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]\",\n \"targetResourceId\": \"[[parameters('networkSecurityGroup')]\"\n },\n \"dependsOn\": [\n \"[[concat('NetworkWatcher_', toLower(parameters('location')))]\"\n ]\n }\n ]\n }\n ]\n }\n },\n \"dependsOn\": [\n \"[[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]\"\n ]\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}", + "$fxv#96": "{\n \"name\": \"Deploy-Nsg-FlowLogs\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Deploys NSG flow logs and traffic analytics\",\n \"description\": \"[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to a storageaccountid with a specified retention period. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html\",\n \"metadata\": {\n \"deprecated\": true,\n \"supersededBy\": \"e920df7f-9a64-4066-9b58-52684c02a091\",\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"retention\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Retention\"\n },\n \"defaultValue\": 5\n },\n \"storageAccountResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Storage Account Resource Id\",\n \"strongType\": \"Microsoft.Storage/storageAccounts\"\n }\n },\n \"trafficAnalyticsInterval\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"Traffic Analytics processing interval mins (10/60)\"\n },\n \"defaultValue\": 60\n },\n \"flowAnalyticsEnabled\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable Traffic Analytics\"\n },\n \"defaultValue\": false\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"strongType\": \"omsWorkspace\",\n \"displayName\": \"Resource ID of Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\"\n },\n \"defaultValue\": \"\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/networkWatchers/flowLogs\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n ],\n \"resourceGroupName\": \"NetworkWatcherRG\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Network/networkWatchers/flowLogs/enabled\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Network/networkWatchers/flowLogs/flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled\",\n \"equals\": \"[[parameters('flowAnalyticsEnabled')]\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"networkSecurityGroupName\": {\n \"value\": \"[[field('name')]\"\n },\n \"resourceGroupName\": {\n \"value\": \"[[resourceGroup().name]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"storageAccountResourceId\": {\n \"value\": \"[[parameters('storageAccountResourceId')]\"\n },\n \"retention\": {\n \"value\": \"[[parameters('retention')]\"\n },\n \"flowAnalyticsEnabled\": {\n \"value\": \"[[parameters('flowAnalyticsEnabled')]\"\n },\n \"trafficAnalyticsInterval\": {\n \"value\": \"[[parameters('trafficAnalyticsInterval')]\"\n },\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"networkSecurityGroupName\": {\n \"type\": \"String\"\n },\n \"resourceGroupName\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n },\n \"storageAccountResourceId\": {\n \"type\": \"String\"\n },\n \"retention\": {\n \"type\": \"int\"\n },\n \"flowAnalyticsEnabled\": {\n \"type\": \"bool\"\n },\n \"trafficAnalyticsInterval\": {\n \"type\": \"int\"\n },\n \"logAnalytics\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/networkWatchers/flowLogs\",\n \"apiVersion\": \"2020-05-01\",\n \"name\": \"[[take(concat('NetworkWatcher_', toLower(parameters('location')), '/', parameters('networkSecurityGroupName'), '-', parameters('resourceGroupName'), '-flowlog' ), 80)]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"targetResourceId\": \"[[resourceId(parameters('resourceGroupName'), 'Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]\",\n \"storageId\": \"[[parameters('storageAccountResourceId')]\",\n \"enabled\": true,\n \"retentionPolicy\": {\n \"enabled\": true,\n \"days\": \"[[parameters('retention')]\"\n },\n \"format\": {\n \"type\": \"JSON\",\n \"version\": 2\n },\n \"flowAnalyticsConfiguration\": {\n \"networkWatcherFlowAnalyticsConfiguration\": {\n \"enabled\": \"[[bool(parameters('flowAnalyticsEnabled'))]\",\n \"trafficAnalyticsInterval\": \"[[parameters('trafficAnalyticsInterval')]\",\n \"workspaceId\": \"[[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').properties.customerId, json('null')) ]\",\n \"workspaceRegion\": \"[[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').location, json('null')) ]\",\n \"workspaceResourceId\": \"[[if(not(empty(parameters('logAnalytics'))), parameters('logAnalytics'), json('null'))]\"\n }\n }\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#97": "{\n \"name\": \"Deploy-PostgreSQL-sslEnforcement\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL \",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect Azure Database for PostgreSQL server\",\n \"description\": \"Enable or disable the execution of the policy minimum TLS version Azure Database for PostgreSQL server\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version for PostgreSQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for PostgreSQL server to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"notEquals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\n \"less\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.DBforPostgreSQL/servers\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n \"equals\": \"Enabled\"\n },\n {\n \"field\": \"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\n \"equals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n },\n \"name\": \"current\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.DBforPostgreSQL/servers\",\n \"apiVersion\": \"2017-12-01\",\n \"name\": \"[[concat(parameters('resourceName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"sslEnforcement\": \"[[if(equals(parameters('minimalTlsVersion'), 'TLSEnforcementDisabled'),'Disabled', 'Enabled')]\",\n \"minimalTlsVersion\": \"[[parameters('minimalTlsVersion')]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('minimalTlsVersion')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#98": "{\n \"name\": \"Deploy-Sql-AuditingSettings\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy SQL database auditing settings\",\n \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers/databases\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/servers/databases/auditingSettings\",\n \"name\": \"default\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Sql/servers/databases/auditingSettings/state\",\n \"equals\": \"enabled\"\n },\n {\n \"field\": \"Microsoft.Sql/servers/databases/auditingSettings/isAzureMonitorTargetEnabled\",\n \"equals\": \"true\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"String\"\n },\n \"sqlServerName\": {\n \"type\": \"String\"\n },\n \"sqlServerDataBaseName\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\n \"type\": \"Microsoft.Sql/servers/databases/auditingSettings\",\n \"apiVersion\": \"2017-03-01-preview\",\n \"properties\": {\n \"state\": \"enabled\",\n \"auditActionsAndGroups\": [\n \"BATCH_COMPLETED_GROUP\",\n \"DATABASE_OBJECT_CHANGE_GROUP\",\n \"SCHEMA_OBJECT_CHANGE_GROUP\",\n \"BACKUP_RESTORE_GROUP\",\n \"APPLICATION_ROLE_CHANGE_PASSWORD_GROUP\",\n \"DATABASE_PRINCIPAL_CHANGE_GROUP\",\n \"DATABASE_PRINCIPAL_IMPERSONATION_GROUP\",\n \"DATABASE_ROLE_MEMBER_CHANGE_GROUP\",\n \"USER_CHANGE_PASSWORD_GROUP\",\n \"DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP\",\n \"DATABASE_OBJECT_PERMISSION_CHANGE_GROUP\",\n \"DATABASE_PERMISSION_CHANGE_GROUP\",\n \"SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP\",\n \"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP\",\n \"FAILED_DATABASE_AUTHENTICATION_GROUP\"\n ],\n \"isAzureMonitorTargetEnabled\": true\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"sqlServerName\": {\n \"value\": \"[[first(split(field('fullname'),'/'))]\"\n },\n \"sqlServerDataBaseName\": {\n \"value\": \"[[field('name')]\"\n }\n }\n }\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"\n ]\n }\n }\n }\n }\n}\n", + "$fxv#99": "{\n \"name\": \"Deploy-SQL-minTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"SQL servers deploys a specific min TLS version requirement.\",\n \"description\": \"Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect SQL servers\",\n \"description\": \"Enable or disable the execution of the policy minimum TLS version SQL servers\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version for SQL server\",\n \"description\": \"Select version minimum TLS version SQL servers to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers\"\n },\n {\n \"field\": \"Microsoft.Sql/servers/minimalTlsVersion\",\n \"less\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/servers\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Sql/servers/minimalTlsVersion\",\n \"equals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n },\n \"name\": \"current\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Sql/servers\",\n \"apiVersion\": \"2019-06-01-preview\",\n \"name\": \"[[concat(parameters('resourceName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"minimalTlsVersion\": \"[[parameters('minimalTlsVersion')]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('minimalTlsVersion')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", "cloudEnv": "[environment().name]", "defaultDeploymentLocationByCloudType": { "AzureCloud": "northeurope", @@ -407,11 +409,11 @@ "[variables('$fxv#139')]", "[variables('$fxv#140')]", "[variables('$fxv#141')]", - "[variables('$fxv#142')]" + "[variables('$fxv#142')]", + "[variables('$fxv#143')]", + "[variables('$fxv#144')]" ], "AzureCloud": [ - "[variables('$fxv#143')]", - "[variables('$fxv#144')]", "[variables('$fxv#145')]", "[variables('$fxv#146')]", "[variables('$fxv#147')]", @@ -424,23 +426,25 @@ "[variables('$fxv#154')]", "[variables('$fxv#155')]", "[variables('$fxv#156')]", - "[variables('$fxv#157')]" + "[variables('$fxv#157')]", + "[variables('$fxv#158')]", + "[variables('$fxv#159')]" ], "AzureChinaCloud": [ - "[variables('$fxv#158')]", - "[variables('$fxv#159')]", "[variables('$fxv#160')]", "[variables('$fxv#161')]", "[variables('$fxv#162')]", "[variables('$fxv#163')]", "[variables('$fxv#164')]", "[variables('$fxv#165')]", - "[variables('$fxv#166')]" + "[variables('$fxv#166')]", + "[variables('$fxv#167')]", + "[variables('$fxv#168')]" ], "AzureUSGovernment": [ - "[variables('$fxv#167')]", - "[variables('$fxv#168')]", - "[variables('$fxv#169')]" + "[variables('$fxv#169')]", + "[variables('$fxv#170')]", + "[variables('$fxv#171')]" ] }, "policyDefinitionsByCloudType": { diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Audit-Tags-Mandatory-Rg.json b/src/resources/Microsoft.Authorization/policyDefinitions/Audit-Tags-Mandatory-Rg.json new file mode 100644 index 0000000000..4116b5db71 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Audit-Tags-Mandatory-Rg.json @@ -0,0 +1,91 @@ +{ + "name": "Audit-Tags-Mandatory-Rg", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Audit for mandatory tags on resource groups", + "mode": "Indexed", + "description": "Audits resource groups to ensure they have required tags based on tag array.", + "metadata": { + "version": "1.0.0", + "category": "Tags", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "mandatoryTags": { + "type": "Array", + "metadata": { + "displayName": "Array of mandatory tags", + "description": "Array of mandatory tags that must be present on the resource group. The array should contain semicolon separated list of the tag names." + }, + "defaultValue": [ + "owner", + "costcenter" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions/resourceGroups" + }, + { + "anyOf": [ + { + "not": { + "count": { + "value": "[[parameters('mandatoryTags')]", + "name": "tagcount", + "where": { + "field": "tags", + "containsKey": "[[current('tagcount')]" + } + }, + "equals": "[[length(parameters('mandatoryTags'))]" + } + }, + { + "not": { + "count": { + "value": "[[parameters('mandatoryTags')]", + "name": "tagnullcount", + "where": { + "value": "[[resourceGroup().tags[current('tagnullcount')]]", + "notMatch": "" + } + }, + "equals": "[[length(parameters('mandatoryTags'))]" + } + } + ] + } + ] + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Audit-Tags-Mandatory.json b/src/resources/Microsoft.Authorization/policyDefinitions/Audit-Tags-Mandatory.json new file mode 100644 index 0000000000..08fbd356ea --- /dev/null +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Audit-Tags-Mandatory.json @@ -0,0 +1,66 @@ +{ + "name": "Audit-Tags-Mandatory", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Audit for mandatory tags on resources", + "mode": "All", + "description": "Audits resources to ensure they have required tags based on tag array. Does not apply to resource groups.", + "metadata": { + "version": "1.0.0", + "category": "Tags", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "mandatoryTags": { + "type": "Array", + "metadata": { + "displayName": "Array of mandatory tags", + "description": "Array of mandatory tags that must be present on the resource group. The array should contain semicolon separated list of the tag names." + }, + "defaultValue": [ + "owner", + "costcenter" + ] + } + }, + "policyRule": { + "if": { + "not": { + "count": { + "value": "[[parameters('mandatoryTags')]", + "name": "tagcount", + "where": { + "field": "tags", + "containsKey": "[[current('tagcount')]" + } + }, + "equals": "[[length(parameters('mandatoryTags'))]" + } + }, + "then": { + "effect": "[[parameters('effect')]" + } + } + } +} \ No newline at end of file diff --git a/src/templates/policies.bicep b/src/templates/policies.bicep index bf459ae8e1..803107679a 100644 --- a/src/templates/policies.bicep +++ b/src/templates/policies.bicep @@ -50,6 +50,8 @@ var loadPolicyDefinitions = { loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit.json') + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-Tags-Mandatory.json') + loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-Tags-Mandatory-Rg.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http.json') loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http.json') From 4458a515c6ed844133541e4a57104e79485093e9 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 29 Nov 2024 22:31:37 +0400 Subject: [PATCH 09/18] ALZ Policy Version Pinning Update (#1853) --- docs/wiki/Whats-new.md | 1 + .../AUDIT-AppGwWafPolicyAssignment.json | 6 +- ...IT-ResourceRGLocationPolicyAssignment.json | 6 +- .../AUDIT-ZoneResilientPolicyAssignment.json | 6 +- ...ENY-AksPrivEscalationPolicyAssignment.json | 6 +- .../DENY-AksPrivilegedPolicyAssignment.json | 6 +- .../DENY-AksWithoutHttpsPolicyAssignment.json | 6 +- ...-ClassicResourceTypesPolicyAssignment.json | 6 +- ...DENY-HybridNetworkingPolicyAssignment.json | 6 +- .../DENY-IPForwardingPolicyAssignment.json | 8 +- ...-PublicIpAddressOnNICPolicyAssignment.json | 6 +- .../DENY-PublicIpAddressPolicyAssignment.json | 6 +- ...Y-StorageWithoutHttpsPolicyAssignment.json | 6 +- .../DENY-VMUnmanagedDiskPolicyAssignment.json | 6 +- .../DINE-ASBPolicyAssignment.json | 6 +- .../DINE-ActivityLogPolicyAssignment.json | 6 +- .../DINE-AtpOssDbPolicyAssignment.json | 6 +- .../DINE-AtpSqlDbPolicyAssignment.json | 6 +- ...E-ChangeTrackingVMArcPolicyAssignment.json | 6 +- ...DINE-ChangeTrackingVMPolicyAssignment.json | 6 +- ...NE-ChangeTrackingVMSSPolicyAssignment.json | 6 +- .../DINE-LogAnalyticsPolicyAssignment.json | 6 +- .../DINE-MDEndpointsAMAPolicyAssignment.json | 6 +- .../DINE-MDEndpointsPolicyAssignment.json | 6 +- ...NE-MDFCDefenderSQLAMAPolicyAssignment.json | 6 +- ...E-ResourceDiagnosticsPolicyAssignment.json | 6 +- .../DINE-SQLAuditingPolicyAssignment.json | 6 +- .../DINE-SQLEncryptionPolicyAssignment.json | 6 +- .../DINE-SQLThreatPolicyAssignment.json | 6 +- .../DINE-VMBackupPolicyAssignment.json | 6 +- ...NE-VMHybridMonitoringPolicyAssignment.json | 6 +- .../DINE-VMMonitoringPolicyAssignment.json | 6 +- .../DINE-VMSSMonitoringPolicyAssignment.json | 6 +- ...ENFORCE-SubnetPrivatePolicyAssignment.json | 6 +- .../MODIFY-DDoSPolicyAssignment.json | 6 +- .../policyDefinitions/initiatives.json | 82 +++++++++---------- .../policyDefinitions/policies.json | 4 +- .../Audit-TrustedLaunch.json | 4 +- ...Audit-UnusedResourcesCostOptimization.json | 6 +- .../Deny-PublicPaaSEndpoints.json | 47 ++++++++++- .../DenyAction-DeleteProtection.json | 4 +- .../Deploy-AUM-CheckUpdates.json | 6 +- .../Deploy-MDFC-Config_20240319.json | 33 +++++++- .../Deploy-Private-DNS-Zones.json | 61 +++++++++++++- .../Deploy-Sql-Security_20240529.json | 6 +- .../policySetDefinitions/Enforce-ACSB.json | 7 +- .../Enforce-ALZ-Decomm.json | 4 +- .../Enforce-ALZ-Sandbox.json | 4 +- .../policySetDefinitions/Enforce-Backup.json | 8 +- .../Enforce-EncryptTransit_20240509.json | 40 ++++++++- .../Enforce-Encryption-CMK.json | 32 +++++++- .../Enforce-Guardrails-APIM.json | 13 ++- .../Enforce-Guardrails-AppServices.json | 21 ++++- .../Enforce-Guardrails-Automation.json | 8 +- .../Enforce-Guardrails-BotService.json | 6 +- .../Enforce-Guardrails-CognitiveServices.json | 11 ++- .../Enforce-Guardrails-Compute.json | 4 +- .../Enforce-Guardrails-ContainerApps.json | 4 +- .../Enforce-Guardrails-ContainerInstance.json | 3 +- .../Enforce-Guardrails-ContainerRegistry.json | 14 +++- .../Enforce-Guardrails-CosmosDb.json | 8 +- .../Enforce-Guardrails-DataExplorer.json | 6 +- .../Enforce-Guardrails-DataFactory.json | 7 +- .../Enforce-Guardrails-EventGrid.json | 10 ++- .../Enforce-Guardrails-EventHub.json | 6 +- .../Enforce-Guardrails-KeyVault-Sup.json | 4 +- .../Enforce-Guardrails-Kubernetes.json | 18 +++- .../Enforce-Guardrails-MachineLearning.json | 16 +++- .../Enforce-Guardrails-MySQL.json | 4 +- .../Enforce-Guardrails-Network.json | 24 +++++- .../Enforce-Guardrails-OpenAI.json | 13 ++- .../Enforce-Guardrails-PostgreSQL.json | 3 +- .../Enforce-Guardrails-SQL.json | 7 +- .../Enforce-Guardrails-ServiceBus.json | 6 +- .../Enforce-Guardrails-Storage.json | 24 +++++- .../Enforce-Guardrails-Synapse.json | 11 ++- .../Enforce-Guardrails-VirtualDesktop.json | 4 +- 77 files changed, 658 insertions(+), 152 deletions(-) diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index 9775bd9d34..53ea412b13 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -52,6 +52,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: ### 🔃 Policy Refresh Q2 FY25 +- *Policy Versioning Support* - all initiatives and assignments have been pinned to the current major version of built-in policies or initiatives deployed by ALZ. This ensures that all ALZ deployments will successfully deploy using the currently validated versions of ALZ built-in policies and initiatives. As these get updated the team will validate changes and impact before incrementing the recommended version. - Fixed a Portal Accelerator bug that results in failed deployment when choosing not to deploy policies to the Identity management group. - Updated the display name of the many `Effect` parameters to clearly identify the policy it applies to in the initiative [Enforce recommended guardrails for Azure Key Vault](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-KeyVault.html). - Updated the policy and policySet definition API version `2023-04-01` to supporting policy versioning. In this repo, this is used in the master policies.json and initiatives.json files, that are built from individual policy and initiative files in the src folder. diff --git a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-AppGwWafPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-AppGwWafPolicyAssignment.json index 5186b3e49b..36c7c180dc 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-AppGwWafPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-AppGwWafPolicyAssignment.json @@ -26,7 +26,8 @@ }, "variables": { "policyDefinitions": { - "auditWAF": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66" + "auditWAF": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66", + "policyVersion": "2.*.*" }, "policyAssignmentNames": { "auditWAF": "Audit-AppGW-WAF", @@ -42,12 +43,13 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').auditWAF]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').auditWAF]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json index 283cf25ac6..3474eb30b8 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json @@ -17,7 +17,8 @@ }, "variables": { "policyDefinitions": { - "auditRGL": "/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a" + "auditRGL": "/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a", + "policyVersion": "2.*.*" }, "policyAssignmentNames": { "auditRGL": "Audit-ResourceRGLocation", @@ -33,12 +34,13 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').auditRGL]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').auditRGL]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ZoneResilientPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ZoneResilientPolicyAssignment.json index 97bb4e0644..7253927318 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ZoneResilientPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ZoneResilientPolicyAssignment.json @@ -35,7 +35,8 @@ }, "variables": { "policyDefinitions": { - "auditZR": "/providers/Microsoft.Authorization/policySetDefinitions/130fb88f-0fc9-4678-bfe1-31022d71c7d5" + "auditZR": "/providers/Microsoft.Authorization/policySetDefinitions/130fb88f-0fc9-4678-bfe1-31022d71c7d5", + "policyVersion": "1.*.*-preview" }, "policyAssignmentNames": { "auditZR": "Audit-ZoneResiliency", @@ -51,12 +52,13 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').auditZR]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').auditZR]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json index 5df1fa7f16..abfd6425d0 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json @@ -13,7 +13,8 @@ }, "variables": { "policyDefinitions": { - "denyAksNoPrivEsc": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99" + "denyAksNoPrivEsc": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99", + "policyVersion": "7.*.*" }, "policyAssignmentNames": { "denyAksNoPrivEsc": "Deny-Priv-Esc-AKS", @@ -24,12 +25,13 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').denyAksNoPrivEsc]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').denyAksNoPrivEsc]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "parameters": { "effect": { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json index 3f4fde274d..2452c4bd3c 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json @@ -13,7 +13,8 @@ }, "variables": { "policyDefinitions": { - "denyAksPriv": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4" + "denyAksPriv": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4", + "policyVersion": "9.*.*" }, "policyAssignmentNames": { "denyAksPriv": "Deny-Privileged-AKS", @@ -24,12 +25,13 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').denyAksPriv]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').denyAksPriv]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "parameters": { "effect": { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json index dedf8bf2ce..3b7fcee0b2 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json @@ -13,7 +13,8 @@ }, "variables": { "policyDefinitions": { - "denyHttpIngressAks": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d" + "denyHttpIngressAks": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "policyVersion": "8.*.*" }, "policyAssignmentNames": { "denyHttpIngressAks": "Enforce-AKS-HTTPS", @@ -24,12 +25,13 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').denyHttpIngressAks]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').denyHttpIngressAks]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "parameters": { "effect": { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-ClassicResourceTypesPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-ClassicResourceTypesPolicyAssignment.json index 63325713d8..26961652bf 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-ClassicResourceTypesPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-ClassicResourceTypesPolicyAssignment.json @@ -25,7 +25,8 @@ }, "variables": { "policyDefinitions": { - "denyClassicResources": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749" + "denyClassicResources": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", + "policyVersion": "2.*.*" }, "policyAssignmentNames": { "denyClassicResources": "Deny-Classic-Resources", @@ -41,12 +42,13 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').denyClassicResources]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').denyClassicResources]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-HybridNetworkingPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-HybridNetworkingPolicyAssignment.json index e695b06b39..def5fe2d27 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-HybridNetworkingPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-HybridNetworkingPolicyAssignment.json @@ -25,7 +25,8 @@ }, "variables": { "policyDefinitions": { - "denyHybridNetworking": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749" + "denyHybridNetworking": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", + "policyVersion": "2.*.*" }, "policyAssignmentNames": { "denyHybridNetworking": "Deny-HybridNetworking", @@ -41,12 +42,13 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').denyHybridNetworking]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').denyHybridNetworking]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-IPForwardingPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-IPForwardingPolicyAssignment.json index 5aed8232e2..40aa9beacc 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-IPForwardingPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-IPForwardingPolicyAssignment.json @@ -17,7 +17,8 @@ }, "variables": { "policyDefinitions": { - "denyIpForwarding": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900" + "denyIpForwarding": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900", + "policyVersion": "1.*.*" }, "policyAssignmentNames": { "denyIpForwarding": "Deny-IP-forwarding", @@ -33,7 +34,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').denyIpForwarding]", "properties": { "description": "[variables('policyAssignmentNames').description]", @@ -44,7 +45,8 @@ "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" } ], - "policyDefinitionId": "[variables('policyDefinitions').denyIpForwarding]" + "policyDefinitionId": "[variables('policyDefinitions').denyIpForwarding]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]" } } ], diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressOnNICPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressOnNICPolicyAssignment.json index 941292cc93..9d1b8025ff 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressOnNICPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressOnNICPolicyAssignment.json @@ -17,7 +17,8 @@ }, "variables": { "policyDefinitions": { - "denyPipOnNic": "/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114" + "denyPipOnNic": "/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114", + "policyVersion": "1.*.*" }, "policyAssignmentNames": { "denyPipOnNIC": "Deny-Public-IP-On-NIC", @@ -33,12 +34,13 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').denyPipOnNic]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').denyPipOnNic]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressPolicyAssignment.json index b7c17d5b5d..ced5859da6 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressPolicyAssignment.json @@ -17,7 +17,8 @@ }, "variables": { "policyDefinitions": { - "denyPip": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749" + "denyPip": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", + "policyVersion": "2.*.*" }, "policyAssignmentNames": { "denyPip": "Deny-Public-IP", @@ -33,12 +34,13 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').denyPip]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').denyPip]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-StorageWithoutHttpsPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-StorageWithoutHttpsPolicyAssignment.json index 05cda17684..294ede5650 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-StorageWithoutHttpsPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-StorageWithoutHttpsPolicyAssignment.json @@ -17,7 +17,8 @@ }, "variables": { "policyDefinitions": { - "storageHttps": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9" + "storageHttps": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9", + "policyVersion": "2.*.*" }, "policyAssignmentNames": { "storageHttps": "Deny-Storage-http", @@ -33,12 +34,13 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').storageHttps]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').storageHttps]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-VMUnmanagedDiskPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-VMUnmanagedDiskPolicyAssignment.json index 786b5e666f..19b6e272a7 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-VMUnmanagedDiskPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-VMUnmanagedDiskPolicyAssignment.json @@ -17,7 +17,8 @@ }, "variables": { "policyDefinitions": { - "denyVMUnmanagedDisk": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d" + "denyVMUnmanagedDisk": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d", + "policyVersion": "1.*.*" }, "policyAssignmentNames": { "denyVMUnmanagedDisk": "Deny-UnmanagedDisk", @@ -33,12 +34,13 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').denyVMUnmanagedDisk]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').denyVMUnmanagedDisk]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json index af1d1d71f9..7ebe339e86 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json @@ -17,7 +17,8 @@ }, "variables": { "policyDefinitions": { - "ascMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8" + "ascMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", + "policyVersion": "57.*.*" }, "policyAssignmentNames": { "ascMonitoring": "Deploy-ASC-Monitoring", @@ -33,7 +34,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').ascMonitoring]", "location": "[deployment().location]", "identity": { @@ -43,6 +44,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').ascMonitoring]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json index 051665e46b..c33dd3b600 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json @@ -29,7 +29,8 @@ }, "variables": { "policyDefinitions": { - "deployAzureActivityLog": "/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f" + "deployAzureActivityLog": "/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f", + "policyVersion": "1.*.*" }, "policyAssignmentNames": { "azureActivityLog": "Deploy-AzActivity-Log", @@ -51,7 +52,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').azureActivityLog]", "location": "[deployment().location]", "identity": { @@ -61,6 +62,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').deployAzureActivityLog]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-AtpOssDbPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-AtpOssDbPolicyAssignment.json index d1959f0147..dcbe777f2f 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-AtpOssDbPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-AtpOssDbPolicyAssignment.json @@ -23,7 +23,8 @@ }, "variables": { "policyDefinitions": { - "DineAtpOssDb": "/providers/Microsoft.Authorization/policySetDefinitions/e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e" + "DineAtpOssDb": "/providers/Microsoft.Authorization/policySetDefinitions/e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e", + "policyVersion": "1.*.*" }, "policyAssignmentNames": { "DineAtpOssDb": "Deploy-MDFC-OssDb", @@ -43,7 +44,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').DineAtpOssDb]", "location": "[deployment().location]", "identity": { @@ -53,6 +54,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').DineAtpOssDb]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-AtpSqlDbPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-AtpSqlDbPolicyAssignment.json index 34febb1340..7ad2013d93 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-AtpSqlDbPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-AtpSqlDbPolicyAssignment.json @@ -23,7 +23,8 @@ }, "variables": { "policyDefinitions": { - "DineAtpSqlDb": "/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97" + "DineAtpSqlDb": "/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97", + "policyVersion": "3.*.*" }, "policyAssignmentNames": { "DineAtpSqlDb": "Deploy-MDFC-SqlAtp", @@ -43,7 +44,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').DineAtpSqlDb]", "location": "[deployment().location]", "identity": { @@ -53,6 +54,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').DineAtpSqlDb]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMArcPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMArcPolicyAssignment.json index cde092b64c..0ced04dfff 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMArcPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMArcPolicyAssignment.json @@ -56,7 +56,8 @@ }, "variables": { "policyDefinitions": { - "vmArcChangeTracking": "/providers/Microsoft.Authorization/policySetDefinitions/53448c70-089b-4f52-8f38-89196d7f2de1" + "vmArcChangeTracking": "/providers/Microsoft.Authorization/policySetDefinitions/53448c70-089b-4f52-8f38-89196d7f2de1", + "policyVersion": "1.*.*-preview" }, "policyAssignmentNames": { "vmArcChangeTracking": "Deploy-vmArc-ChangeTrack", @@ -80,7 +81,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').vmArcChangeTracking]", "location": "[deployment().location]", "identity": { @@ -90,6 +91,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').vmArcChangeTracking]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMPolicyAssignment.json index 8c878a37f5..4ebfffb655 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMPolicyAssignment.json @@ -76,7 +76,8 @@ }, "variables": { "policyDefinitions": { - "vmChangeTracking": "/providers/Microsoft.Authorization/policySetDefinitions/92a36f05-ebc9-4bba-9128-b47ad2ea3354" + "vmChangeTracking": "/providers/Microsoft.Authorization/policySetDefinitions/92a36f05-ebc9-4bba-9128-b47ad2ea3354", + "policyVersion": "1.*.*-preview" }, "policyAssignmentNames": { "vmChangeTracking": "Deploy-VM-ChangeTrack", @@ -105,7 +106,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').vmChangeTracking]", "location": "[deployment().location]", "identity": { @@ -115,6 +116,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').vmChangeTracking]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMSSPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMSSPolicyAssignment.json index 04450021a3..b5503e4ee1 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMSSPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMSSPolicyAssignment.json @@ -76,7 +76,8 @@ }, "variables": { "policyDefinitions": { - "vmssChangeTracking": "/providers/Microsoft.Authorization/policySetDefinitions/c4a70814-96be-461c-889f-2b27429120dc" + "vmssChangeTracking": "/providers/Microsoft.Authorization/policySetDefinitions/c4a70814-96be-461c-889f-2b27429120dc", + "policyVersion": "1.*.*-preview" }, "policyAssignmentNames": { "vmssChangeTracking": "Deploy-VMSS-ChangeTrack", @@ -105,7 +106,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').vmssChangeTracking]", "location": "[deployment().location]", "identity": { @@ -115,6 +116,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').vmssChangeTracking]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json index 58989a4d2e..532b3a1aaf 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json @@ -59,7 +59,8 @@ }, "variables": { "policyDefinitions": { - "deployLogAnalytics": "/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955" + "deployLogAnalytics": "/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955", + "policyVersion": "2.*.*" }, "policyAssignmentNames": { "logAnalytics": "Deploy-Log-Analytics", @@ -79,7 +80,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').loganalytics]", "location": "[deployment().location]", "identity": { @@ -89,6 +90,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').deployLogAnalytics]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDEndpointsAMAPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDEndpointsAMAPolicyAssignment.json index 4b533d4947..e61f1c6ecb 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDEndpointsAMAPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDEndpointsAMAPolicyAssignment.json @@ -23,7 +23,8 @@ }, "variables": { "policyDefinitions": { - "deployMDEndpoints": "/providers/Microsoft.Authorization/policySetDefinitions/77b391e3-2d5d-40c3-83bf-65c846b3c6a3" + "deployMDEndpoints": "/providers/Microsoft.Authorization/policySetDefinitions/77b391e3-2d5d-40c3-83bf-65c846b3c6a3", + "policyVersion": "1.*.*" }, "policyAssignmentNames": { "azureSecurityMDE": "Deploy-MDEndpointsAMA", @@ -43,7 +44,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').azureSecurityMDE]", "location": "[deployment().location]", "identity": { @@ -53,6 +54,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').deployMDEndpoints]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDEndpointsPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDEndpointsPolicyAssignment.json index 7f81ce19cc..c0c59489ef 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDEndpointsPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDEndpointsPolicyAssignment.json @@ -32,7 +32,8 @@ }, "variables": { "policyDefinitions": { - "deployMDEndpoints": "/providers/Microsoft.Authorization/policySetDefinitions/e20d08c5-6d64-656d-6465-ce9e37fd0ebc" + "deployMDEndpoints": "/providers/Microsoft.Authorization/policySetDefinitions/e20d08c5-6d64-656d-6465-ce9e37fd0ebc", + "policyVersion": "1.*.*-preview" }, "policyAssignmentNames": { "azureSecurityMDE": "Deploy-MDEndpoints", @@ -52,7 +53,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').azureSecurityMDE]", "location": "[deployment().location]", "identity": { @@ -62,6 +63,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').deployMDEndpoints]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDFCDefenderSQLAMAPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDFCDefenderSQLAMAPolicyAssignment.json index 645286c7fd..d3210e1d7a 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDFCDefenderSQLAMAPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDFCDefenderSQLAMAPolicyAssignment.json @@ -106,7 +106,8 @@ }, "variables": { "policyDefinitions": { - "deployazureDefenderSQL": "/providers/Microsoft.Authorization/policySetDefinitions/de01d381-bae9-4670-8870-786f89f49e26" + "deployazureDefenderSQL": "/providers/Microsoft.Authorization/policySetDefinitions/de01d381-bae9-4670-8870-786f89f49e26", + "policyVersion": "1.*.*" }, "policyAssignmentNames": { "azureDefenderSQL": "Deploy-MDFC-DefSQL-AMA", @@ -137,7 +138,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').azureDefenderSQL]", "location": "[deployment().location]", "identity": { @@ -147,6 +148,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').deployazureDefenderSQL]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json index 7143112061..6c8fac4b4a 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json @@ -35,7 +35,8 @@ }, "variables": { "policyDefinitions": { - "deployResourceDiagnostics": "[if(equals(parameters('laCategory'), 'allLogs'),'/providers/Microsoft.Authorization/policySetDefinitions/0884adba-2312-4468-abeb-5422caed1038','/providers/Microsoft.Authorization/policySetDefinitions/f5b29bc4-feca-4cc6-a58a-772dd5e290a5')]" + "deployResourceDiagnostics": "[if(equals(parameters('laCategory'), 'allLogs'),'/providers/Microsoft.Authorization/policySetDefinitions/0884adba-2312-4468-abeb-5422caed1038','/providers/Microsoft.Authorization/policySetDefinitions/f5b29bc4-feca-4cc6-a58a-772dd5e290a5')]", + "policyVersion": "[if(equals(parameters('laCategory'), 'allLogs'),'1.*.*','1.*.*')]" }, "policyAssignmentNames": { "resourceDiagnostics": "Deploy-Diag-LogsCat", @@ -57,7 +58,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').resourceDiagnostics]", "location": "[deployment().location]", "identity": { @@ -67,6 +68,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').deployResourceDiagnostics]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLAuditingPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLAuditingPolicyAssignment.json index 0f6a0e58c3..29e4a8c15a 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLAuditingPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLAuditingPolicyAssignment.json @@ -29,7 +29,8 @@ }, "variables": { "policyDefinitions": { - "deploySqlAuditing": "/providers/Microsoft.Authorization/policyDefinitions/25da7dfb-0666-4a15-a8f5-402127efd8bb" + "deploySqlAuditing": "/providers/Microsoft.Authorization/policyDefinitions/25da7dfb-0666-4a15-a8f5-402127efd8bb", + "policyVersion": "1.*.*" }, "policyAssignmentNames": { "deploySqlAuditing": "Deploy-AzSqlDb-Auditing", @@ -49,7 +50,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').deploySqlAuditing]", "location": "[deployment().location]", "identity": { @@ -59,6 +60,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').deploySqlAuditing]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLEncryptionPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLEncryptionPolicyAssignment.json index d5ae811a94..b18449418a 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLEncryptionPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLEncryptionPolicyAssignment.json @@ -23,7 +23,8 @@ }, "variables": { "policyDefinitions": { - "deploySqlEncryption": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f" + "deploySqlEncryption": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f", + "policyVersion": "2.*.*" }, "policyAssignmentNames": { "deploySqlEncryption": "Deploy-SQL-TDE", @@ -43,7 +44,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').deploySqlEncryption]", "location": "[deployment().location]", "identity": { @@ -53,6 +54,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').deploySqlEncryption]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLThreatPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLThreatPolicyAssignment.json index d96cb25411..c93203df5a 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLThreatPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLThreatPolicyAssignment.json @@ -23,7 +23,8 @@ }, "variables": { "policyDefinitions": { - "deploySqlThreat": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5" + "deploySqlThreat": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5", + "policyVersion": "2.*.*" }, "policyAssignmentNames": { "deploySqlThreat": "Deploy-SQL-Threat", @@ -43,7 +44,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').deploySqlThreat]", "location": "[deployment().location]", "identity": { @@ -53,6 +54,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').deploySqlThreat]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMBackupPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMBackupPolicyAssignment.json index e59ec5297c..e06cc5ff72 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMBackupPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMBackupPolicyAssignment.json @@ -24,7 +24,8 @@ }, "variables": { "policyDefinitions": { - "deployVmBackup": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86" + "deployVmBackup": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86", + "policyVersion": "9.*.*" }, "policyAssignmentNames": { "deployVmBackup": "Deploy-VM-Backup", @@ -46,7 +47,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').deployVmBackup]", "location": "[deployment().location]", "identity": { @@ -56,6 +57,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').deployVmBackup]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMHybridMonitoringPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMHybridMonitoringPolicyAssignment.json index 500577b696..abe13d8dc4 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMHybridMonitoringPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMHybridMonitoringPolicyAssignment.json @@ -52,7 +52,8 @@ }, "variables": { "policyDefinitions": { - "vmHybridMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/2b00397d-c309-49c4-aa5a-f0b2c5bc6321" + "vmHybridMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/2b00397d-c309-49c4-aa5a-f0b2c5bc6321", + "policyVersion": "1.*.*" }, "policyAssignmentNames": { "vmHybridMonitoring": "Deploy-vmHybr-Monitoring", @@ -76,7 +77,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').vmHybridMonitoring]", "location": "[deployment().location]", "identity": { @@ -86,6 +87,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').vmHybridMonitoring]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMMonitoringPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMMonitoringPolicyAssignment.json index 17afd3061b..d5a989f307 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMMonitoringPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMMonitoringPolicyAssignment.json @@ -79,7 +79,8 @@ }, "variables": { "policyDefinitions": { - "vmMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/924bfe3a-762f-40e7-86dd-5c8b95eb09e6" + "vmMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/924bfe3a-762f-40e7-86dd-5c8b95eb09e6", + "policyVersion": "1.*.*" }, "policyAssignmentNames": { "vmMonitoring": "Deploy-VM-Monitoring", @@ -108,7 +109,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').vmMonitoring]", "location": "[deployment().location]", "identity": { @@ -118,6 +119,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').vmMonitoring]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json index d71b203284..e151ee8e73 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json @@ -79,7 +79,8 @@ }, "variables": { "policyDefinitions": { - "vmssMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/f5bf694c-cca7-4033-b883-3a23327d5485" + "vmssMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/f5bf694c-cca7-4033-b883-3a23327d5485", + "policyVersion": "1.*.*" }, "policyAssignmentNames": { "vmssMonitoring": "Deploy-VMSS-Monitoring", @@ -108,7 +109,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').vmssMonitoring]", "location": "[deployment().location]", "identity": { @@ -118,6 +119,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').vmssMonitoring]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json index c1092bb317..01e4c8f228 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json @@ -26,7 +26,8 @@ }, "variables": { "policyDefinitions": { - "privateSubnet": "/providers/Microsoft.Authorization/policyDefinitions/7bca8353-aa3b-429b-904a-9229c4385837" + "privateSubnet": "/providers/Microsoft.Authorization/policyDefinitions/7bca8353-aa3b-429b-904a-9229c4385837", + "policyVersion": "1.*.*" }, "policyAssignmentNames": { "privateSubnet": "Enforce-Subnet-Private", @@ -42,12 +43,13 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').privateSubnet]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').privateSubnet]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/MODIFY-DDoSPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/MODIFY-DDoSPolicyAssignment.json index 0b9c17721d..461201e9de 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/MODIFY-DDoSPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/MODIFY-DDoSPolicyAssignment.json @@ -29,7 +29,8 @@ }, "variables": { "policyDefinitions": { - "deployDoS": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d" + "deployDoS": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", + "policyVersion": "1.*.*" }, "policyAssignmentNames": { "deployDdoS": "Enable-DDoS-VNET", @@ -49,7 +50,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').deployDdoS]", "location": "[deployment().location]", "identity": { @@ -59,6 +60,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').deployDoS]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "parameters": { "ddosPlan": { diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json index 1877f87c98..5045df57f0 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.31.34.60546", - "templateHash": "9652634129750638250" + "templateHash": "10867486657225631259" } }, "parameters": { @@ -76,62 +76,62 @@ "input": "[json(variables('processPolicySetDefinitionsAzureUSGovernment')[copyIndex('policySetDefinitionsAzureUSGovernment')])]" } ], - "$fxv#0": "{\n \"name\": \"Audit-UnusedResourcesCostOptimization\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Unused resources driving cost should be avoided\",\n \"description\": \"Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Cost Optimization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectDisks\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Disks Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Compute/disks\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectPublicIpAddresses\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PublicIpAddresses Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Network/publicIpAddresses\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectServerFarms\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"ServerFarms Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Web/serverfarms\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AuditDisksUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDisks')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditPublicIpAddressesUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectPublicIpAddresses')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditServerFarmsUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectServerFarms')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditAzureHybridBenefitUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Audit\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#1": "{\n \"name\": \"Audit-TrustedLaunch\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Audit virtual machines for Trusted Launch support\",\n \"description\": \"Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Trusted Launch\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AuditDisksOsTrustedLaunch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b03bb370-5249-4ea4-9fce-2552e87e45fa\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditTrustedLaunchEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95b54ad-0614-4633-ab29-104b01235cbf\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#0": "{\n \"name\": \"Audit-UnusedResourcesCostOptimization\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Unused resources driving cost should be avoided\",\n \"description\": \"Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost.\",\n \"metadata\": {\n \"version\": \"2.1.0\",\n \"category\": \"Cost Optimization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectDisks\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Disks Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Compute/disks\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectPublicIpAddresses\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PublicIpAddresses Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Network/publicIpAddresses\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectServerFarms\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"ServerFarms Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Web/serverfarms\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AuditDisksUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDisks')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditPublicIpAddressesUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectPublicIpAddresses')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditServerFarmsUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectServerFarms')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditAzureHybridBenefitUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Audit\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#1": "{\n \"name\": \"Audit-TrustedLaunch\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Audit virtual machines for Trusted Launch support\",\n \"description\": \"Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Trusted Launch\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AuditDisksOsTrustedLaunch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b03bb370-5249-4ea4-9fce-2552e87e45fa\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditTrustedLaunchEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95b54ad-0614-4633-ab29-104b01235cbf\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#10": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.2.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Soft Delete\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Purge Protection\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Secrets Expiry\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Keys Expiry\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Firewall Enabled\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Certificate Lifetime\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Keys Lifetime\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Secrets Lifetime\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultManagedHsmCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"definitionVersion\": \"3.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"definitionVersion\": \"3.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57\",\n \"policyDefinitionReferenceId\": \"Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#11": "{\n \"name\": \"Enforce-Guardrails-APIM\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for API Management\",\n \"description\": \"This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"API Management\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"apiSubscriptionScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"minimumApiVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSkuVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"apimApiBackendCertValidation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDirectApiEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimCallApiAuthn\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimEncryptedProtocols\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimVnetUsage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSecrets\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Kv\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSecrets')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimVnetUsage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS\",\n \"policyDefinitionReferenceId\": \"Deny-APIM-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Protocols\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimEncryptedProtocols')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Authn\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimCallApiAuthn')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Direct-Endpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDirectApiEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Cert-Validation\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimApiBackendCertValidation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2\",\n \"policyDefinitionReferenceId\": \"Dine-Apim-Public-NetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Sku-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSkuVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('minimumApiVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1\",\n \"policyDefinitionReferenceId\": \"Deny-Api-subscription-scope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apiSubscriptionScope')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#12": "{\n \"name\": \"Enforce-Guardrails-AppServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for App Service\",\n \"description\": \"This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"functionAppDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceSkuPl\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuthFtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceScmAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsVnetRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceEnvLatestVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceByoc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Byoc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceByoc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Latest-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceEnvLatestVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Vnet-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsVnetRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222\",\n \"policyDefinitionReferenceId\": \"Deny-AppServiceApps-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb\",\n \"policyDefinitionReferenceId\": \"DINE-FuncApp-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-ScmAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceScmAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-FtpAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuthFtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-SkuPl\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceSkuPl')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Apps-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-App-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#13": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"autoHotPatch\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc\",\n \"policyDefinitionReferenceId\": \"Deny-Windows-Vm-HotPatch\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('autoHotPatch')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#14": "{\n \"name\": \"Enforce-Guardrails-BotService\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Bot Service\",\n \"description\": \"This policy initiative is a group of policies that ensures Bot Service is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Bot Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"botServiceValidUri\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"audit\",\n \"Deny\",\n \"deny\",\n \"Disabled\",\n \"disabled\"\n ]\n },\n \"botServiceIsolatedMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"audit\",\n \"Deny\",\n \"deny\",\n \"Disabled\",\n \"disabled\"\n ]\n },\n \"botServiceLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"botServicePrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6164527b-e1ee-4882-8673-572f425f5e0a\",\n \"policyDefinitionReferenceId\": \"Deny-BotService-Valid-Uri\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServiceValidUri')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/52152f42-0dda-40d9-976e-abb1acdd611e\",\n \"policyDefinitionReferenceId\": \"Deny-BotService-Isolated-Mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServiceIsolatedMode')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffea632e-4e3a-4424-bf78-10e179bb2e1a\",\n \"policyDefinitionReferenceId\": \"Deny-BotService-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServiceLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad5621d6-a877-4407-aa93-a950b428315e\",\n \"policyDefinitionReferenceId\": \"Audit-BotService-Private-Link\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServicePrivateLink')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#15": "{\n \"name\": \"Enforce-Guardrails-CognitiveServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cognitive Services\",\n \"description\": \"This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveSearchSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesCustomerStorage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesResourceLogs\": {\n \"type\": \"string\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-SKU\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6300012e-e9a4-4649-b41f-a85f5c43be91\",\n \"policyDefinitionReferenceId\": \"Deny-CongitiveSearch-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4eb216f2-9dba-4979-86e6-5d7e63ce3b75\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9cee519f-d9c1-4fd9-9f79-24ec3449ed30\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Customer-Storage\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesCustomerStorage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\n \"policyDefinitionReferenceId\": \"Aine-Cognitive-Services-Resource-Logs\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesResourceLogs')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#16": "{\n \"name\": \"Enforce-Guardrails-Compute\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Compute\",\n \"description\": \"This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Compute\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"diskDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vmAndVmssEncryptionHost\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87\",\n \"policyDefinitionReferenceId\": \"Deny-VmAndVmss-Encryption-Host\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vmAndVmssEncryptionHost')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816\",\n \"policyDefinitionReferenceId\": \"Deny-Disk-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('diskDoubleEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#17": "{\n \"name\": \"Enforce-Guardrails-ContainerApps\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsVnetInjection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApp-Vnet-Injection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsVnetInjection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#18": "{\n \"name\": \"Enforce-Guardrails-ContainerInstance\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Instances\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerInstanceVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceVnet')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#19": "{\n \"name\": \"Enforce-Guardrails-ContainerRegistry\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Registry\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Registry\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerRegistryUnrestrictedNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryExports\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistrySkuPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a9b426fe-8856-4945-8600-18c5dd1cca2a\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Repo-Token\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/42781ec6-6127-4c30-bdfa-fb423a0047d3\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Arm-Audience\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/785596ed-054f-41bc-aaec-7f3d0ba05725\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Arm-Audience\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd560fc0-3c69-498a-ae9f-aa8eb7de0e13\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Sku-PrivateLink\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistrySkuPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Anonymous-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Anonymous-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/524b0254-c285-4903-bee6-bb8126cde579\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Exports\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryExports')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff05e24e-195c-447e-b322-5e90c9f9f366\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Repo-Token\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Unrestricted-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryUnrestrictedNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3701552-92ea-433e-9d17-33b7f1208fc9\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#11": "{\n \"name\": \"Enforce-Guardrails-APIM\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for API Management\",\n \"description\": \"This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"API Management\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"apiSubscriptionScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"minimumApiVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSkuVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"apimApiBackendCertValidation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDirectApiEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimCallApiAuthn\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimEncryptedProtocols\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimVnetUsage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSecrets\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Kv\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSecrets')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Vnet\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimVnetUsage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS\",\n \"policyDefinitionReferenceId\": \"Deny-APIM-TLS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Protocols\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimEncryptedProtocols')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Authn\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimCallApiAuthn')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Direct-Endpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDirectApiEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Cert-Validation\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimApiBackendCertValidation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2\",\n \"policyDefinitionReferenceId\": \"Dine-Apim-Public-NetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Sku-Vnet\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSkuVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('minimumApiVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1\",\n \"policyDefinitionReferenceId\": \"Deny-Api-subscription-scope\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apiSubscriptionScope')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#12": "{\n \"name\": \"Enforce-Guardrails-AppServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for App Service\",\n \"description\": \"This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"functionAppDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceSkuPl\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuthFtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceScmAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsVnetRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceEnvLatestVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceByoc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Byoc\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceByoc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Remote-Debugging\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Remote-Debugging\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Latest-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceEnvLatestVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Vnet-Routing\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsVnetRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Rfc\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222\",\n \"policyDefinitionReferenceId\": \"Deny-AppServiceApps-Rfc\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb\",\n \"policyDefinitionReferenceId\": \"DINE-FuncApp-Debugging\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-ScmAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceScmAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-Routing\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-FtpAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuthFtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-SkuPl\",\n \"definitionVersion\": \"4.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceSkuPl')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-LocalAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-Debugging\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Https\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Https\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Apps-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-App-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#13": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"autoHotPatch\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc\",\n \"policyDefinitionReferenceId\": \"Deny-Windows-Vm-HotPatch\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('autoHotPatch')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#14": "{\n \"name\": \"Enforce-Guardrails-BotService\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Bot Service\",\n \"description\": \"This policy initiative is a group of policies that ensures Bot Service is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Bot Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"botServiceValidUri\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"audit\",\n \"Deny\",\n \"deny\",\n \"Disabled\",\n \"disabled\"\n ]\n },\n \"botServiceIsolatedMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"audit\",\n \"Deny\",\n \"deny\",\n \"Disabled\",\n \"disabled\"\n ]\n },\n \"botServiceLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"botServicePrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6164527b-e1ee-4882-8673-572f425f5e0a\",\n \"policyDefinitionReferenceId\": \"Deny-BotService-Valid-Uri\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServiceValidUri')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/52152f42-0dda-40d9-976e-abb1acdd611e\",\n \"policyDefinitionReferenceId\": \"Deny-BotService-Isolated-Mode\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServiceIsolatedMode')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffea632e-4e3a-4424-bf78-10e179bb2e1a\",\n \"policyDefinitionReferenceId\": \"Deny-BotService-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServiceLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad5621d6-a877-4407-aa93-a950b428315e\",\n \"policyDefinitionReferenceId\": \"Audit-BotService-Private-Link\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServicePrivateLink')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#15": "{\n \"name\": \"Enforce-Guardrails-CognitiveServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cognitive Services\",\n \"description\": \"This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveSearchSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesCustomerStorage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesResourceLogs\": {\n \"type\": \"string\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-SKU\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6300012e-e9a4-4649-b41f-a85f5c43be91\",\n \"policyDefinitionReferenceId\": \"Deny-CongitiveSearch-LocalAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4eb216f2-9dba-4979-86e6-5d7e63ce3b75\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-LocalAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9cee519f-d9c1-4fd9-9f79-24ec3449ed30\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Public-Network-Access\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Managed-Identity\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Customer-Storage\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesCustomerStorage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\n \"policyDefinitionReferenceId\": \"Aine-Cognitive-Services-Resource-Logs\",\n \"definitionVersion\": \"5.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesResourceLogs')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#16": "{\n \"name\": \"Enforce-Guardrails-Compute\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Compute\",\n \"description\": \"This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Compute\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"diskDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vmAndVmssEncryptionHost\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87\",\n \"policyDefinitionReferenceId\": \"Deny-VmAndVmss-Encryption-Host\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vmAndVmssEncryptionHost')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816\",\n \"policyDefinitionReferenceId\": \"Deny-Disk-Double-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('diskDoubleEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#17": "{\n \"name\": \"Enforce-Guardrails-ContainerApps\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsVnetInjection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApp-Vnet-Injection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsVnetInjection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#18": "{\n \"name\": \"Enforce-Guardrails-ContainerInstance\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Container Instances\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerInstanceVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Vnet\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceVnet')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#19": "{\n \"name\": \"Enforce-Guardrails-ContainerRegistry\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Registry\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Container Registry\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerRegistryUnrestrictedNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryExports\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistrySkuPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a9b426fe-8856-4945-8600-18c5dd1cca2a\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Repo-Token\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/42781ec6-6127-4c30-bdfa-fb423a0047d3\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Arm-Audience\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/785596ed-054f-41bc-aaec-7f3d0ba05725\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Arm-Audience\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd560fc0-3c69-498a-ae9f-aa8eb7de0e13\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Sku-PrivateLink\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistrySkuPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Anonymous-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Anonymous-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/524b0254-c285-4903-bee6-bb8126cde579\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Exports\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryExports')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff05e24e-195c-447e-b322-5e90c9f9f366\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Repo-Token\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Unrestricted-Network-Access\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryUnrestrictedNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3701552-92ea-433e-9d17-33b7f1208fc9\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#2": "{\n \"name\": \"Deploy-Sql-Security\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy SQL Database built-in SQL security configuration\",\n \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-Sql-Security_20240529.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-Sql-Security_20240529\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"metadata\": {\n \"description\": \"The email address to send alerts\",\n \"displayName\": \"The email address to send alerts\"\n },\n \"type\": \"String\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n },\n \"type\": \"String\"\n },\n \"SqlDbTdeDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n }\n },\n \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n }\n },\n \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL database auditing settings\",\n \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n }\n },\n \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#20": "{\n \"name\": \"Enforce-Guardrails-CosmosDb\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbAtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\n \"policyDefinitionReferenceId\": \"Dine-CosmosDb-Atp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbAtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#21": "{\n \"name\": \"Enforce-Guardrails-DataExplorer\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Explorer\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Explorer is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Azure Data Explorer\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adxEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1fec9658-933f-4b3e-bc95-913ed22d012b\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Sku-without-PL-Support\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7b32f193-cb28-4e15-9a98-b9556db0bafa\",\n \"policyDefinitionReferenceId\": \"Modify-ADX-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#22": "{\n \"name\": \"Enforce-Guardrails-DataFactory\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Factory\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Data Factory\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adfSqlIntegration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfLinkedServiceKeyVault\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfGit\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f78ccdb4-7bf4-4106-8647-270491d2978a\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/77d40665-3120-4348-b539-3192ec808307\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Git\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfGit')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/127ef6d7-242f-43b3-9eef-947faf1725d0\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Linked-Service-Key-Vault\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfLinkedServiceKeyVault')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0088bc63-6dee-4a9c-9d29-91cfdc848952\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Sql-Integration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfSqlIntegration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08b1442b-7789-4130-8506-4f99a97226a7\",\n \"policyDefinitionReferenceId\": \"Modify-Adf-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#23": "{\n \"name\": \"Enforce-Guardrails-EventGrid\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Grid\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Grid is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Grid\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventGridLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2dd0e8b9-4289-4bb0-b813-1883298e9924\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Partner-Namespace-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae9fb87f-8a17-4428-94a4-8135d431055c\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c8144d9-746a-4501-b08c-093c8d29ad04\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8632b003-3545-4b29-85e6-b2b96773df1e\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Partner-Namespace-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8bfadddb-ee1c-4639-8911-a38cb8e0b3bd\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/898e9824-104c-4965-8e0e-5197588fa5d4\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/36ea4b4b-0f7f-4a54-89fa-ab18f555a172\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#24": "{\n \"name\": \"Enforce-Guardrails-EventHub\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Hub\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Hub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventHubAuthRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/836cd60e-87f3-4e6a-a27c-29d687f01a4c\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/57f35901-8389-40bb-ac49-3ba4f86d889d\",\n \"policyDefinitionReferenceId\": \"Modify-EH-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5d4e3c65-4873-47be-94f3-6f8b953a3598\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Auth-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubAuthRules')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#25": "{\n \"name\": \"Enforce-Guardrails-KeyVault-Sup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce additional recommended guardrails for Key Vault\",\n \"description\": \"This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"keyVaultManagedHsmDisablePublicNetworkModify\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"keyVaultModifyFw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456\",\n \"policyDefinitionReferenceId\": \"Modify-KV-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\",\n \"policyDefinitionReferenceId\": \"Modify-KV-Fw\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultModifyFw')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#26": "{\n \"name\": \"Enforce-Guardrails-Kubernetes\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Kubernetes\",\n \"description\": \"This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Kubernetes\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aksKms\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksCni\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivateCluster\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksCommandInvoke\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksReadinessOrLivenessProbes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivContainers\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksPrivEscalation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksAllowedCapabilities\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksTempDisk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksInternalLb\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksDefaultNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksNakedPods\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksShareHostProcessAndNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksWindowsContainerAdministrator\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5485eac0-7e8f-4964-998b-a44f4f0c1e75\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Windows-Container-Administrator\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksWindowsContainerAdministrator')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Shared-Host-Process-Namespace\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksShareHostProcessAndNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65280eef-c8b4-425e-9aec-af55e55bf581\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Naked-Pods\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksNakedPods')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Default-Namespace\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksDefaultNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Internal-Lb\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksInternalLb')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Temp-Disk-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksTempDisk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Allowed-Capabilities\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksAllowedCapabilities')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Escalation\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivEscalation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Containers\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivContainers')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b1a9997f-2883-4f12-bdff-2280f99b5915\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-ReadinessOrLiveness-Probes\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksReadinessOrLivenessProbes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b708b0a-3380-40e9-8b79-821f9fa224cc\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Command-Invoke\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCommandInvoke')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Policy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPolicy')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Private-Cluster\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivateCluster')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dbbdc317-9734-4dd8-9074-993b29c69008\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Kms\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksKms')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46238e2f-3f6f-4589-9f3f-77bed4116e67\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Cni\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCni')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#27": "{\n \"name\": \"Enforce-Guardrails-MachineLearning\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Machine Learning\",\n \"description\": \"This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mlUserAssignedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"mlLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlOutdatedOS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"mlIdleShutdown\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlVirtualNetwork\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlLegacyMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlResourceLogs\": {\n \"type\": \"string\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"mlAllowedRegistryDeploy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlAllowedModule\": {\n \"type\": \"string\",\n \"defaultValue\": \"enforceSetting\",\n \"allowedValues\": [\n \"enforceSetting\",\n \"disabled\"\n ]\n },\n \"mlAllowedPython\": {\n \"type\": \"string\",\n \"defaultValue\": \"enforceSetting\",\n \"allowedValues\": [\n \"enforceSetting\",\n \"disabled\"\n ]\n },\n \"mlAllowedRegistries\": {\n \"type\": \"string\",\n \"defaultValue\": \"enforceSetting\",\n \"allowedValues\": [\n \"enforceSetting\",\n \"disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Outdated-Os\",\n \"groupNames\": [],\n \"parameters\": {\n \"effects\": {\n \"value\": \"[[parameters('mlOutdatedOS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6f9a2d0-cff7-4855-83ad-4cd750666512\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0c7d88-c7de-45b8-ac49-db49e72eaa78\",\n \"policyDefinitionReferenceId\": \"Deny-ML-User-Assigned-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlUserAssignedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a10ee784-7409-4941-b091-663697637c0f\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/679ddf89-ab8f-48a5-9029-e76054077449\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Idle-Shutdown\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlIdleShutdown')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7804b5c7-01dc-4723-969b-ae300cc07ff1\",\n \"policyDefinitionReferenceId\": \"Audit-ML-Virtual-Network\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlVirtualNetwork')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e413671a-dd10-4cc1-a943-45b598596cb7\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Legacy-Mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlLegacyMode')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/45e05259-1eb5-4f70-9574-baf73e9d219b\",\n \"policyDefinitionReferenceId\": \"Audit-ML-Private-Link\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/afe0c3be-ba3b-4544-ba52-0c99672a8ad6\",\n \"policyDefinitionReferenceId\": \"Aine-ML-Resource-Logs\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlResourceLogs')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/19539b54-c61e-4196-9a38-67598701be90\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Allowed-Registry-Deploy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlAllowedRegistryDeploy')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/53c70b02-63dd-11ea-bc55-0242ac130003\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Allowed-Module\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlAllowedModule')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/77eeea86-7e81-4a7d-9067-de844d096752\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Allowed-Python\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlAllowedPython')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5853517a-63de-11ea-bc55-0242ac130003\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Allowed-Registries\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlAllowedRegistries')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#28": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mySqlInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlInfraEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#29": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Audit\",\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafAfdEnabled\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Allow\",\n \"Deny\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Afd-Enabled\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafAfdEnabled')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#3": "{\n \"name\": \"Deploy-Sql-Security_20240529\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy SQL Database built-in SQL security configuration\",\n \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-Sql-Security\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"metadata\": {\n \"description\": \"The email address to send alerts\",\n \"displayName\": \"The email address to send alerts\"\n },\n \"type\": \"Array\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n },\n \"type\": \"String\"\n },\n \"SqlDbTdeDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n }\n },\n \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n }\n },\n \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL database auditing settings\",\n \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n }\n },\n \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#30": "{\n \"name\": \"Enforce-Guardrails-OpenAI\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Open AI (Cognitive Service)\",\n \"description\": \"This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveServicesOutboundNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAcls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesCustomerStorage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"azureAiNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"azureAiPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"azureAiDisableLocalKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"azureAiDisableLocalKey2\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"azureAiDiagSettings\": {\n \"type\": \"string\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-OutboundNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesOutboundNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-NetworkAcls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAcls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Cust-Storage\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesCustomerStorage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\n \"policyDefinitionReferenceId\": \"Deny-AzureAI-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6759c02-b87f-42b7-892e-71b3f471d782\",\n \"policyDefinitionReferenceId\": \"Audit-AzureAI-Private-Link\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d45520cb-31ca-44ba-8da2-fcf914608544\",\n \"policyDefinitionReferenceId\": \"Dine-AzureAI-Local-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiDisableLocalKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55eff01b-f2bd-4c32-9203-db285f709d30\",\n \"policyDefinitionReferenceId\": \"Dine-AzureAI-Local-Key2\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiDisableLocalKey2')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b4d1c4e-934c-4703-944c-27c82c06bebb\",\n \"policyDefinitionReferenceId\": \"Aine-AzureAI-Diag-Settings\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiDiagSettings')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#31": "{\n \"name\": \"Enforce-Guardrails-PostgreSQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for PostgreSQL\",\n \"description\": \"This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"PostgreSQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"postgreSqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3\",\n \"policyDefinitionReferenceId\": \"Dine-PostgreSql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#32": "{\n \"name\": \"Enforce-Guardrails-ServiceBus\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Service Bus\",\n \"description\": \"This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Service Bus\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"serviceBusModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyDisabledLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusAuthzRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Authz-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusAuthzRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebaf4f25-a4e8-415f-86a8-42d9155bef0b\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfb11c26-f069-4c14-8e36-56c394dae5af\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyDisabledLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e\",\n \"policyDefinitionReferenceId\": \"Modify-Sb-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#33": "{\n \"name\": \"Enforce-Guardrails-SQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for SQL and SQL Managed Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"sqlManagedAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"modifySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Managed-Defender\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Aad-Only\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Aad-Only\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Adv-Data\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b\",\n \"policyDefinitionReferenceId\": \"Modify-Sql-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifySqlPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#34": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#35": "{\n \"name\": \"Enforce-Guardrails-Synapse\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Synapse workspaces\",\n \"description\": \"This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Synapse\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"synapseLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseManagedVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseDataTraffic\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTenants\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseAllowedTenantIds\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"[[subscription().tenantId]\"\n ]\n },\n \"synapseFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"synapseModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"synapseModifyTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6\",\n \"policyDefinitionReferenceId\": \"Dine-Synapse-Defender\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3624673-d2ff-48e0-b28c-5de1c6767c3c\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56fd377d-098c-4f02-8406-81eb055902b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tenant-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTenants')]\"\n },\n \"allowedTenantIds\": {\n \"value\": \"[[parameters('synapseAllowedTenantIds')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Data-Traffic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDataTraffic')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Managed-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseManagedVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b5c654c-fb07-471b-aa8f-15fea733f140\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#36": "{\n \"name\": \"Enforce-Guardrails-VirtualDesktop\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Virtual Desktop\",\n \"description\": \"This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Desktop Virtualization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"avdWorkspaceModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ce6ebf1d-0b94-4df9-9257-d8cacc238b4f\",\n \"policyDefinitionReferenceId\": \"Modify-Workspace-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspaceModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a0913ff-51e7-47b8-97bb-ea17127f7c8d\",\n \"policyDefinitionReferenceId\": \"Modify-Hostpool-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#37": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"5.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registries with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"PostgreSQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSql Flexible Server\",\n \"description\": \"This policy denies creation of PostgreSQL Flexible DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"postgreSqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSQL servers\",\n \"description\": \"This policy denies creation of PostgreSQL DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MySQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for MySQL Flexible Server\",\n \"description\": \"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MlPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Machine Learning\",\n \"description\": \"This policy denies creation of Azure Machine Learning with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"RedisCachePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Cache for Redis\",\n \"description\": \"This policy denies creation of Azure Cache for Redis with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BotServicePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Bot Service\",\n \"description\": \"This policy denies creation of Bot Service with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AutomationPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Automation accounts\",\n \"description\": \"This policy denies creation of Automation accounts with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AppConfigPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Configuration\",\n \"description\": \"This policy denies creation of App Configuration with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionAppSlotPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service Environment apps\",\n \"description\": \"This policy denies creation of App Service Environment apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service apps\",\n \"description\": \"This policy denies creation of App Service apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ApiManPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for API Management services\",\n \"description\": \"This policy denies creation of API Management services with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n },\n \"ContainerAppsEnvironmentDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Container Apps environment should disable public network access\",\n \"description\": \"This policy denies creation of Container Apps Environment with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsrVaultDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Azure Recovery Services vaults should disable public network access\",\n \"description\": \"This policy denies creation of Azure Recovery Services vaults with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"logicAppPublicNetworkAccessEffect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"appSlotsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"cognitiveSearchPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"managedDiskPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"containerAppsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmDisablePublicNetwork\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapsePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdWorkspacePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"grafanaPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-PostgreSql-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MlPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisCachePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BotServiceDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BotServicePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppConfigDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppConfigPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppSlotsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/11c82d0c-db9f-4d7b-97c5-f3f9aa957da2\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppSlotPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AseDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApiManDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ApiManPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsEnvironmentDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsEnvironmentDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/783ea2a8-b8fd-46be-896a-9ae79643a0b1\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"AsrVaultDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9ebbbba3-4d65-4da9-bb67-b22cfaaff090\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsrVaultDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppPublicNetworkAccessEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/701a595d-38fb-4a66-ae6d-fb3735217622\",\n \"policyDefinitionReferenceId\": \"Deny-AppSlots-Public\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appSlotsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8405fdab-1faf-48aa-b702-999c9c172094\",\n \"policyDefinitionReferenceId\": \"Deny-ManagedDisk-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('managedDiskPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43bc7be6-5e69-4b0d-a2bb-e815557ca673\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8f774be-6aee-492a-9e29-486ef81f3a68\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1adadefe-5f21-44f7-b931-a59b54ccdb45\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0602787f-9896-402a-a6e1-39ee63ee435e\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/19ea9d63-adee-4431-a95e-1913c6c1c75f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PublicNetwork\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetwork')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cbd11fd3-3002-4907-b6c8-579f0e700e13\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Public-Endpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Public-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsPublicAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/38d8df46-cf4e-4073-8e03-48c24b29de0d\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapsePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ac3038-c07a-4b92-860d-29e270a4f3cd\",\n \"policyDefinitionReferenceId\": \"Deny-Workspace-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspacePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c25dcf31-878f-4eba-98eb-0818fdc6a334\",\n \"policyDefinitionReferenceId\": \"Deny-Hostpool-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8775d5a-73b7-4977-a39b-833ef0114628\",\n \"policyDefinitionReferenceId\": \"Deny-Grafana-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('grafanaPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#20": "{\n \"name\": \"Enforce-Guardrails-CosmosDb\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbAtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\n \"policyDefinitionReferenceId\": \"Dine-CosmosDb-Atp\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbAtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#21": "{\n \"name\": \"Enforce-Guardrails-DataExplorer\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Explorer\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Explorer is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Azure Data Explorer\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adxEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1fec9658-933f-4b3e-bc95-913ed22d012b\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Sku-without-PL-Support\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Double-Encryption\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Encryption\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7b32f193-cb28-4e15-9a98-b9556db0bafa\",\n \"policyDefinitionReferenceId\": \"Modify-ADX-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#22": "{\n \"name\": \"Enforce-Guardrails-DataFactory\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Factory\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Data Factory\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adfSqlIntegration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfLinkedServiceKeyVault\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfGit\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f78ccdb4-7bf4-4106-8647-270491d2978a\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Managed-Identity\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/77d40665-3120-4348-b539-3192ec808307\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Git\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfGit')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/127ef6d7-242f-43b3-9eef-947faf1725d0\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Linked-Service-Key-Vault\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfLinkedServiceKeyVault')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0088bc63-6dee-4a9c-9d29-91cfdc848952\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Sql-Integration\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfSqlIntegration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08b1442b-7789-4130-8506-4f99a97226a7\",\n \"policyDefinitionReferenceId\": \"Modify-Adf-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#23": "{\n \"name\": \"Enforce-Guardrails-EventGrid\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Grid\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Grid is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Event Grid\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventGridLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2dd0e8b9-4289-4bb0-b813-1883298e9924\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Partner-Namespace-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae9fb87f-8a17-4428-94a4-8135d431055c\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c8144d9-746a-4501-b08c-093c8d29ad04\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8632b003-3545-4b29-85e6-b2b96773df1e\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Partner-Namespace-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8bfadddb-ee1c-4639-8911-a38cb8e0b3bd\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/898e9824-104c-4965-8e0e-5197588fa5d4\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/36ea4b4b-0f7f-4a54-89fa-ab18f555a172\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#24": "{\n \"name\": \"Enforce-Guardrails-EventHub\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Hub\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Event Hub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventHubAuthRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/836cd60e-87f3-4e6a-a27c-29d687f01a4c\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Double-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/57f35901-8389-40bb-ac49-3ba4f86d889d\",\n \"policyDefinitionReferenceId\": \"Modify-EH-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5d4e3c65-4873-47be-94f3-6f8b953a3598\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Auth-Rules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubAuthRules')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#25": "{\n \"name\": \"Enforce-Guardrails-KeyVault-Sup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce additional recommended guardrails for Key Vault\",\n \"description\": \"This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"keyVaultManagedHsmDisablePublicNetworkModify\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"keyVaultModifyFw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456\",\n \"policyDefinitionReferenceId\": \"Modify-KV-PublicNetworkAccess\",\n \"definitionVersion\": \"2.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\",\n \"policyDefinitionReferenceId\": \"Modify-KV-Fw\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultModifyFw')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#26": "{\n \"name\": \"Enforce-Guardrails-Kubernetes\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Kubernetes\",\n \"description\": \"This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Kubernetes\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aksKms\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksCni\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivateCluster\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksCommandInvoke\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksReadinessOrLivenessProbes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivContainers\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksPrivEscalation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksAllowedCapabilities\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksTempDisk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksInternalLb\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksDefaultNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksNakedPods\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksShareHostProcessAndNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksWindowsContainerAdministrator\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5485eac0-7e8f-4964-998b-a44f4f0c1e75\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Windows-Container-Administrator\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksWindowsContainerAdministrator')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Shared-Host-Process-Namespace\",\n \"definitionVersion\": \"5.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksShareHostProcessAndNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65280eef-c8b4-425e-9aec-af55e55bf581\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Naked-Pods\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksNakedPods')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Default-Namespace\",\n \"definitionVersion\": \"4.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksDefaultNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Internal-Lb\",\n \"definitionVersion\": \"8.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksInternalLb')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Temp-Disk-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksTempDisk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Allowed-Capabilities\",\n \"definitionVersion\": \"6.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksAllowedCapabilities')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Escalation\",\n \"definitionVersion\": \"7.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivEscalation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Containers\",\n \"definitionVersion\": \"9.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivContainers')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b1a9997f-2883-4f12-bdff-2280f99b5915\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-ReadinessOrLiveness-Probes\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksReadinessOrLivenessProbes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b708b0a-3380-40e9-8b79-821f9fa224cc\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Command-Invoke\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCommandInvoke')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Policy\",\n \"definitionVersion\": \"4.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPolicy')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Private-Cluster\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivateCluster')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dbbdc317-9734-4dd8-9074-993b29c69008\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Kms\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksKms')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46238e2f-3f6f-4589-9f3f-77bed4116e67\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Cni\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCni')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#27": "{\n \"name\": \"Enforce-Guardrails-MachineLearning\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Machine Learning\",\n \"description\": \"This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mlUserAssignedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"mlLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlOutdatedOS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"mlIdleShutdown\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlVirtualNetwork\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlLegacyMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlResourceLogs\": {\n \"type\": \"string\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"mlAllowedRegistryDeploy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlAllowedModule\": {\n \"type\": \"string\",\n \"defaultValue\": \"enforceSetting\",\n \"allowedValues\": [\n \"enforceSetting\",\n \"disabled\"\n ]\n },\n \"mlAllowedPython\": {\n \"type\": \"string\",\n \"defaultValue\": \"enforceSetting\",\n \"allowedValues\": [\n \"enforceSetting\",\n \"disabled\"\n ]\n },\n \"mlAllowedRegistries\": {\n \"type\": \"string\",\n \"defaultValue\": \"enforceSetting\",\n \"allowedValues\": [\n \"enforceSetting\",\n \"disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Outdated-Os\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effects\": {\n \"value\": \"[[parameters('mlOutdatedOS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Local-Auth\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6f9a2d0-cff7-4855-83ad-4cd750666512\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Local-Auth\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0c7d88-c7de-45b8-ac49-db49e72eaa78\",\n \"policyDefinitionReferenceId\": \"Deny-ML-User-Assigned-Identity\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlUserAssignedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a10ee784-7409-4941-b091-663697637c0f\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/679ddf89-ab8f-48a5-9029-e76054077449\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Idle-Shutdown\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlIdleShutdown')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7804b5c7-01dc-4723-969b-ae300cc07ff1\",\n \"policyDefinitionReferenceId\": \"Audit-ML-Virtual-Network\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlVirtualNetwork')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e413671a-dd10-4cc1-a943-45b598596cb7\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Legacy-Mode\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlLegacyMode')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/45e05259-1eb5-4f70-9574-baf73e9d219b\",\n \"policyDefinitionReferenceId\": \"Audit-ML-Private-Link\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/afe0c3be-ba3b-4544-ba52-0c99672a8ad6\",\n \"policyDefinitionReferenceId\": \"Aine-ML-Resource-Logs\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlResourceLogs')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/19539b54-c61e-4196-9a38-67598701be90\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Allowed-Registry-Deploy\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlAllowedRegistryDeploy')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/53c70b02-63dd-11ea-bc55-0242ac130003\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Allowed-Module\",\n \"definitionVersion\": \"6.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlAllowedModule')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/77eeea86-7e81-4a7d-9067-de844d096752\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Allowed-Python\",\n \"definitionVersion\": \"5.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlAllowedPython')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5853517a-63de-11ea-bc55-0242ac130003\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Allowed-Registries\",\n \"definitionVersion\": \"6.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlAllowedRegistries')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#28": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mySqlInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Infra-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlInfraEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#29": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Audit\",\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafAfdEnabled\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Allow\",\n \"Deny\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Afd-Enabled\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafAfdEnabled')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#3": "{\n \"name\": \"Deploy-Sql-Security_20240529\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy SQL Database built-in SQL security configuration\",\n \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-Sql-Security\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"metadata\": {\n \"description\": \"The email address to send alerts\",\n \"displayName\": \"The email address to send alerts\"\n },\n \"type\": \"Array\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n },\n \"type\": \"String\"\n },\n \"SqlDbTdeDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n }\n },\n \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n }\n },\n \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL database auditing settings\",\n \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n }\n },\n \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#30": "{\n \"name\": \"Enforce-Guardrails-OpenAI\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Open AI (Cognitive Service)\",\n \"description\": \"This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveServicesOutboundNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAcls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesCustomerStorage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"azureAiNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"azureAiPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"azureAiDisableLocalKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"azureAiDisableLocalKey2\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"azureAiDiagSettings\": {\n \"type\": \"string\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-OutboundNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesOutboundNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-NetworkAcls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAcls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Managed-Identity\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Cust-Storage\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesCustomerStorage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\n \"policyDefinitionReferenceId\": \"Deny-AzureAI-Network-Access\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6759c02-b87f-42b7-892e-71b3f471d782\",\n \"policyDefinitionReferenceId\": \"Audit-AzureAI-Private-Link\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d45520cb-31ca-44ba-8da2-fcf914608544\",\n \"policyDefinitionReferenceId\": \"Dine-AzureAI-Local-Key\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiDisableLocalKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55eff01b-f2bd-4c32-9203-db285f709d30\",\n \"policyDefinitionReferenceId\": \"Dine-AzureAI-Local-Key2\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiDisableLocalKey2')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b4d1c4e-934c-4703-944c-27c82c06bebb\",\n \"policyDefinitionReferenceId\": \"Aine-AzureAI-Diag-Settings\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiDiagSettings')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#31": "{\n \"name\": \"Enforce-Guardrails-PostgreSQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for PostgreSQL\",\n \"description\": \"This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"PostgreSQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"postgreSqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3\",\n \"policyDefinitionReferenceId\": \"Dine-PostgreSql-Adv-Threat-Protection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#32": "{\n \"name\": \"Enforce-Guardrails-ServiceBus\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Service Bus\",\n \"description\": \"This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Service Bus\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"serviceBusModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyDisabledLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusAuthzRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Authz-Rules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusAuthzRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebaf4f25-a4e8-415f-86a8-42d9155bef0b\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfb11c26-f069-4c14-8e36-56c394dae5af\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-LocalAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyDisabledLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e\",\n \"policyDefinitionReferenceId\": \"Modify-Sb-LocalAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#33": "{\n \"name\": \"Enforce-Guardrails-SQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for SQL and SQL Managed Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"sqlManagedAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"modifySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Managed-Defender\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Aad-Only\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Aad-Only\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Adv-Data\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b\",\n \"policyDefinitionReferenceId\": \"Modify-Sql-PublicNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifySqlPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#34": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#35": "{\n \"name\": \"Enforce-Guardrails-Synapse\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Synapse workspaces\",\n \"description\": \"This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Synapse\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"synapseLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseManagedVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseDataTraffic\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTenants\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseAllowedTenantIds\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"[[subscription().tenantId]\"\n ]\n },\n \"synapseFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"synapseModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"synapseModifyTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6\",\n \"policyDefinitionReferenceId\": \"Dine-Synapse-Defender\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3624673-d2ff-48e0-b28c-5de1c6767c3c\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56fd377d-098c-4f02-8406-81eb055902b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Fw-Rules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tenant-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTenants')]\"\n },\n \"allowedTenantIds\": {\n \"value\": \"[[parameters('synapseAllowedTenantIds')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Data-Traffic\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDataTraffic')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Managed-Vnet\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseManagedVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b5c654c-fb07-471b-aa8f-15fea733f140\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Tls-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#36": "{\n \"name\": \"Enforce-Guardrails-VirtualDesktop\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Virtual Desktop\",\n \"description\": \"This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Desktop Virtualization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"avdWorkspaceModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ce6ebf1d-0b94-4df9-9257-d8cacc238b4f\",\n \"policyDefinitionReferenceId\": \"Modify-Workspace-PublicNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspaceModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a0913ff-51e7-47b8-97bb-ea17127f7c8d\",\n \"policyDefinitionReferenceId\": \"Modify-Hostpool-PublicNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#37": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"5.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registries with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"PostgreSQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSql Flexible Server\",\n \"description\": \"This policy denies creation of PostgreSQL Flexible DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"postgreSqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSQL servers\",\n \"description\": \"This policy denies creation of PostgreSQL DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MySQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for MySQL Flexible Server\",\n \"description\": \"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MlPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Machine Learning\",\n \"description\": \"This policy denies creation of Azure Machine Learning with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"RedisCachePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Cache for Redis\",\n \"description\": \"This policy denies creation of Azure Cache for Redis with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BotServicePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Bot Service\",\n \"description\": \"This policy denies creation of Bot Service with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AutomationPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Automation accounts\",\n \"description\": \"This policy denies creation of Automation accounts with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AppConfigPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Configuration\",\n \"description\": \"This policy denies creation of App Configuration with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionAppSlotPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service Environment apps\",\n \"description\": \"This policy denies creation of App Service Environment apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service apps\",\n \"description\": \"This policy denies creation of App Service apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ApiManPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for API Management services\",\n \"description\": \"This policy denies creation of API Management services with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n },\n \"ContainerAppsEnvironmentDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Container Apps environment should disable public network access\",\n \"description\": \"This policy denies creation of Container Apps Environment with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsrVaultDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Azure Recovery Services vaults should disable public network access\",\n \"description\": \"This policy denies creation of Azure Recovery Services vaults with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"logicAppPublicNetworkAccessEffect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"appSlotsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"cognitiveSearchPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"managedDiskPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"containerAppsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmDisablePublicNetwork\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapsePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdWorkspacePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"grafanaPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48\",\n \"definitionVersion\": \"3.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-PostgreSql-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MlPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisCachePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BotServiceDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BotServicePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppConfigDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppConfigPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppSlotsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/11c82d0c-db9f-4d7b-97c5-f3f9aa957da2\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppSlotPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AseDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3\",\n \"definitionVersion\": \"3.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApiManDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ApiManPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsEnvironmentDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsEnvironmentDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/783ea2a8-b8fd-46be-896a-9ae79643a0b1\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"AsrVaultDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9ebbbba3-4d65-4da9-bb67-b22cfaaff090\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsrVaultDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppPublicNetworkAccessEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/701a595d-38fb-4a66-ae6d-fb3735217622\",\n \"policyDefinitionReferenceId\": \"Deny-AppSlots-Public\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appSlotsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8405fdab-1faf-48aa-b702-999c9c172094\",\n \"policyDefinitionReferenceId\": \"Deny-ManagedDisk-Public-Network-Access\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('managedDiskPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43bc7be6-5e69-4b0d-a2bb-e815557ca673\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8f774be-6aee-492a-9e29-486ef81f3a68\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1adadefe-5f21-44f7-b931-a59b54ccdb45\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0602787f-9896-402a-a6e1-39ee63ee435e\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/19ea9d63-adee-4431-a95e-1913c6c1c75f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PublicNetwork\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetwork')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Public-Network-Access\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Public-Network-Access\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Network-Access\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cbd11fd3-3002-4907-b6c8-579f0e700e13\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Public-Endpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Public-Access\",\n \"definitionVersion\": \"3.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsPublicAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/38d8df46-cf4e-4073-8e03-48c24b29de0d\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapsePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ac3038-c07a-4b92-860d-29e270a4f3cd\",\n \"policyDefinitionReferenceId\": \"Deny-Workspace-PublicNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspacePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c25dcf31-878f-4eba-98eb-0818fdc6a334\",\n \"policyDefinitionReferenceId\": \"Deny-Hostpool-PublicNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8775d5a-73b7-4977-a39b-833ef0114628\",\n \"policyDefinitionReferenceId\": \"Deny-Grafana-PublicNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('grafanaPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#38": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. This policy set is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"2.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for API Management to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for API Management to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for Firewall to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for Firewall to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Log Analytics to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category Audit enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AVDScalingPlansLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AVDScalingPlansLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#39": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html\",\n \"metadata\": {\n \"version\": \"7.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-MDFC-Config_20240319\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"default\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForApis\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForApis\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForApis')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#4": "{\n \"name\": \"Enforce-EncryptTransit\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html\",\n \"metadata\": {\n \"version\": \"2.1.0-deprecated\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Enforce-EncryptTransit_20240509\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"StorageHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }", - "$fxv#40": "{\n \"name\": \"Deploy-MDFC-Config_20240319\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"2.1.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-MDFC-Config\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"createResourceGroup\":{\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Create resource group\",\n \"description\": \"If a resource group does not exists in the scope, a new resource group will be created. If the resource group exists and this flag is set to 'true' the policy will re-deploy the resource group. Please note this will reset any Azure Tag on the resource group.\"\n },\n \"defaultValue\": true,\n \"allowedValues\": [\n true,\n false\n ]\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"mdeTvm\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72f8cee7-2937-403d-84a1-a4e3e57f3c21\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"createResourceGroup\": {\n \"value\": \"[[parameters('createResourceGroup')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#41": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"2.3.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"dnsZoneSubscriptionId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Subscription Id\",\n \"description\": \"The subscription id where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified.\"\n }\n },\n \"dnsZoneResourceGroupName\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Resource Group Name\",\n \"description\": \"The resource group where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified.\"\n }\n },\n \"dnsZoneResourceType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Microsoft.Network/privateDnsZones\",\n \"metadata\": {\n \"displayName\": \"Resource Type\",\n \"description\": \"The resource type where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified.\"\n }\n },\n \"dnsZoneRegion\": {\n \"type\": \"string\",\n \"defaultValue\": \"changeme\",\n \"metadata\": {\n \"displayName\": \"Region\",\n \"description\": \"The region where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified.\"\n }\n },\n \"dnzZoneRegionShortNames\": {\n \"type\": \"object\",\n \"defaultValue\": {\n \"changeme\": \"changeme\",\n \"australiacentral\" : \"acl\",\n \"australiacentral2\" : \"acl2\",\n \"australiaeast\" : \"ae\",\n \"australiasoutheast\" : \"ase\",\n \"brazilsoutheast\" : \"bse\",\n \"brazilsouth\" : \"brs\",\n \"canadacentral\" : \"cnc\",\n \"canadaeast\" : \"cne\",\n \"centralindia\" : \"inc\",\n \"centralus\" : \"cus\",\n \"centraluseuap\" : \"ccy\",\n \"chilecentral\" : \"clc\",\n \"eastasia\" : \"ea\",\n \"eastus\" : \"eus\",\n \"eastus2\" : \"eus2\",\n \"eastus2euap\" : \"ecy\",\n \"francecentral\" : \"frc\",\n \"francesouth\" : \"frs\",\n \"germanynorth\" : \"gn\",\n \"germanywestcentral\" : \"gwc\",\n \"israelcentral\" : \"ilc\",\n \"italynorth\" : \"itn\",\n \"japaneast\" : \"jpe\",\n \"japanwest\" : \"jpw\",\n \"koreacentral\" : \"krc\",\n \"koreasouth\" : \"krs\",\n \"malaysiasouth\" : \"mys\",\n \"malaysiawest\" : \"myw\",\n \"mexicocentral\" : \"mxc\",\n \"newzealandnorth\" : \"nzn\",\n \"northcentralus\" : \"ncus\",\n \"northeurope\" : \"ne\",\n \"norwayeast\" : \"nwe\",\n \"norwaywest\" : \"nww\",\n \"polandcentral\" : \"plc\",\n \"qatarcentral\" : \"qac\",\n \"southafricanorth\" : \"san\",\n \"southafricawest\" : \"saw\",\n \"southcentralus\" : \"scus\",\n \"southeastasia\" : \"sea\",\n \"southindia\" : \"ins\",\n \"spaincentral\" : \"spc\",\n \"swedencentral\" : \"sdc\",\n \"swedensouth\" : \"sds\",\n \"switzerlandnorth\" : \"szn\",\n \"switzerlandwest\" : \"szw\",\n \"taiwannorth\" : \"twn\",\n \"uaecentral\" : \"uac\",\n \"uaenorth\" : \"uan\",\n \"uksouth\" : \"uks\",\n \"ukwest\" : \"ukw\",\n \"westcentralus\" : \"wcus\",\n \"westeurope\" : \"we\",\n \"westindia\" : \"inw\",\n \"westus\" : \"wus\",\n \"westus2\" : \"wus2\",\n \"westus3\" : \"wus3\"\n },\n \"metadata\": {\n \"displayName\": \"Region Short Name Mapping\",\n \"description\": \"Mapping of region to private DNS zone resource id. If the region is not specified, the default private DNS zone resource id will be used.\"\n }\n },\n \"dnsZoneNames\": {\n \"type\": \"object\",\n \"defaultValue\": {\n \"azureAcrPrivateDnsZoneId\": \"privatelink.azurecr.io\",\n \"azureAcrDataPrivateDnsZoneId\": \"{regionName}.data.privatelink.azurecr.io\",\n \"azureAppPrivateDnsZoneId\": \"privatelink.azconfig.io\",\n \"azureAppServicesPrivateDnsZoneId\": \"privatelink.azurewebsites.net\",\n \"azureArcGuestconfigurationPrivateDnsZoneId\": \"privatelink.guestconfiguration.azure.com\",\n \"azureArcHybridResourceProviderPrivateDnsZoneId\": \"privatelink.his.arc.azure.com\",\n \"azureArcKubernetesConfigurationPrivateDnsZoneId\": \"privatelink.dp.kubernetesconfiguration.azure.com\",\n \"azureAsrPrivateDnsZoneId\": \"privatelink.siterecovery.windowsazure.com\",\n \"azureAutomationDSCHybridPrivateDnsZoneId\": \"privatelink.azure-automation.net\",\n \"azureAutomationWebhookPrivateDnsZoneId\": \"privatelink.azure-automation.net\",\n \"azureBatchPrivateDnsZoneId\": \"privatelink.batch.azure.com\",\n \"azureBotServicePrivateDnsZoneId\": \"privatelink.directline.botframework.com\",\n \"azureCognitiveSearchPrivateDnsZoneId\": \"privatelink.search.windows.net\",\n \"azureCognitiveServicesPrivateDnsZoneId\": \"privatelink.cognitiveservices.azure.com\",\n \"azureCosmosCassandraPrivateDnsZoneId\": \"privatelink.cassandra.cosmos.azure.com\",\n \"azureCosmosGremlinPrivateDnsZoneId\": \"privatelink.gremlin.cosmos.azure.com\",\n \"azureCosmosMongoPrivateDnsZoneId\": \"privatelink.mongo.cosmos.azure.com\",\n \"azureCosmosSQLPrivateDnsZoneId\": \"privatelink.documents.azure.com\",\n \"azureCosmosTablePrivateDnsZoneId\": \"privatelink.table.cosmos.azure.com\",\n \"azureDataExplorerPrivateDnsZoneId\": \"privatelink.{regionName}.kusto.windows.net\",\n \"azureDataFactoryPortalPrivateDnsZoneId\": \"privatelink.adf.azure.com\",\n \"azureDataFactoryPrivateDnsZoneId\": \"privatelink.datafactory.azure.net\",\n \"azureDatabricksPrivateDnsZoneId\": \"privatelink.azuredatabricks.net\",\n \"azureDiskAccessPrivateDnsZoneId\": \"privatelink.blob.core.windows.net\",\n \"azureEventGridDomainsPrivateDnsZoneId\": \"privatelink.eventgrid.azure.net\",\n \"azureEventGridTopicsPrivateDnsZoneId\": \"privatelink.eventgrid.azure.net\",\n \"azureEventHubNamespacePrivateDnsZoneId\": \"privatelink.servicebus.windows.net\",\n \"azureFilePrivateDnsZoneId\": \"privatelink.afs.azure.net\",\n \"azureHDInsightPrivateDnsZoneId\": \"privatelink.azurehdinsight.net\",\n \"azureIotCentralPrivateDnsZoneId\": \"privatelink.azureiotcentral.com\",\n \"azureIotDeviceupdatePrivateDnsZoneId\": \"privatelink.azure-devices.net\",\n \"azureIotHubsPrivateDnsZoneId\": \"privatelink.azure-devices.net\",\n \"azureIotPrivateDnsZoneId\": \"privatelink.azure-devices-provisioning.net\",\n \"azureKeyVaultPrivateDnsZoneId\": \"privatelink.vaultcore.azure.net\",\n \"azureKubernetesManagementPrivateDnsZoneId\": \"privatelink.{regionName}.azmk8s.io\",\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": \"privatelink.api.azureml.ms\",\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": \"privatelink.notebooks.azure.net\",\n \"azureManagedGrafanaWorkspacePrivateDnsZoneId\": \"privatelink.grafana.azure.com\",\n \"azureMediaServicesKeyPrivateDnsZoneId\": \"privatelink.media.azure.net\",\n \"azureMediaServicesLivePrivateDnsZoneId\": \"privatelink.media.azure.net\",\n \"azureMediaServicesStreamPrivateDnsZoneId\": \"privatelink.media.azure.net\",\n \"azureMigratePrivateDnsZoneId\": \"privatelink.prod.migration.windowsazure.com\",\n \"azureMonitorPrivateDnsZoneId1\": \"privatelink.monitor.azure.com\",\n \"azureMonitorPrivateDnsZoneId2\": \"privatelink.oms.opinsights.azure.com\",\n \"azureMonitorPrivateDnsZoneId3\": \"privatelink.ods.opinsights.azure.com\",\n \"azureMonitorPrivateDnsZoneId4\": \"privatelink.agentsvc.azure-automation.net\",\n \"azureMonitorPrivateDnsZoneId5\": \"privatelink.blob.core.windows.net\",\n \"azureRedisCachePrivateDnsZoneId\": \"privatelink.redis.cache.windows.net\",\n \"azureServiceBusNamespacePrivateDnsZoneId\": \"privatelink.servicebus.windows.net\",\n \"azureSignalRPrivateDnsZoneId\": \"privatelink.service.signalr.net\",\n \"azureSiteRecoveryBackupPrivateDnsZoneId\": \"privatelink.{regionCode}.backup.windowsazure.com\",\n \"azureSiteRecoveryBlobPrivateDnsZoneId\": \"privatelink.blob.core.windows.net\",\n \"azureSiteRecoveryQueuePrivateDnsZoneId\": \"privatelink.queue.core.windows.net\",\n \"azureStorageBlobPrivateDnsZoneId\": \"privatelink.blob.core.windows.net\",\n \"azureStorageBlobSecPrivateDnsZoneId\": \"privatelink.blob.core.windows.net\",\n \"azureStorageDFSPrivateDnsZoneId\": \"privatelink.dfs.core.windows.net\",\n \"azureStorageDFSSecPrivateDnsZoneId\": \"privatelink.dfs.core.windows.net\",\n \"azureStorageFilePrivateDnsZoneId\": \"privatelink.file.core.windows.net\",\n \"azureStorageQueuePrivateDnsZoneId\": \"privatelink.queue.core.windows.net\",\n \"azureStorageQueueSecPrivateDnsZoneId\": \"privatelink.queue.core.windows.net\",\n \"azureStorageStaticWebPrivateDnsZoneId\": \"privatelink.web.core.windows.net\",\n \"azureStorageStaticWebSecPrivateDnsZoneId\": \"privatelink.web.core.windows.net\",\n \"azureStorageTablePrivateDnsZoneId\": \"privatelink.table.core.windows.net\",\n \"azureStorageTableSecondaryPrivateDnsZoneId\": \"privatelink.table.core.windows.net\",\n \"azureSynapseDevPrivateDnsZoneId\": \"privatelink.dev.azuresynapse.net\",\n \"azureSynapseSQLPrivateDnsZoneId\": \"privatelink.sql.azuresynapse.net\",\n \"azureSynapseSQLODPrivateDnsZoneId\": \"privatelink.sql.azuresynapse.net\",\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": \"privatelink.wvd.microsoft.com\",\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": \"privatelink.wvd.microsoft.com\",\n \"azureWebPrivateDnsZoneId\": \"privatelink.webpubsub.azure.com\"\n },\n \"metadata\": {\n \"displayName\": \"DNS Zone Names\",\n \"description\": \"The list of private DNS zone names to be used for the Azure PaaS services.\"\n }\n },\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDatabricksPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDatabricksPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureHDInsightPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMigratePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMigratePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueueSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueueSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesKeyPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesKeyPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesLivePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesLivePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesStreamPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesStreamPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBotServicePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBotServicePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureManagedGrafanaWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureManagedGrafanaWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotDeviceupdatePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotDeviceupdatePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcGuestconfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcGuestconfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcHybridResourceProviderPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcHybridResourceProviderPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcKubernetesConfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcKubernetesConfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotCentralPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotCentralPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureFilePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureFilePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAutomationWebhookPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAutomationWebhookPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAutomationDSCHybridPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAutomationDSCHybridPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosSQLPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosSQLPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosMongoPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosMongoPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosCassandraPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosCassandraPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosGremlinPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosGremlinPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosTablePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosTablePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDataFactoryPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDataFactoryPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDataFactoryPortalPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDataFactoryPortalPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-UI-Api\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDatabricksPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDatabricksPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"databricks_ui_api\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-Browser-AuthN\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDatabricksPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDatabricksPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"browser_authentication\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureHDInsightPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureHDInsightPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Migrate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMigratePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMigratePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageBlobPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageBlobPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageBlobSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageBlobSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageQueuePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageQueuePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageQueueSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageQueueSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageFilePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageFilePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageStaticWebPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageStaticWebPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageStaticWebSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageStaticWebSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageDFSPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageDFSPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageDFSSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageDFSSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseSQLPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseSQLPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseSQLODPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseSQLODPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseDevPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseDevPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Key\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesKeyPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesKeyPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"keydelivery\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Live\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesLivePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesLivePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"liveevent\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Stream\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesStreamPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesStreamPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"streamingendpoint\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId1'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId1, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId2'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId2, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId3'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId3, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId4'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId4, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId5'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId5, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureWebPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureWebPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureBatchPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureBatchPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAppPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAppPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAsrPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAsrPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureKeyVaultPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureKeyVaultPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSignalRPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSignalRPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAppServicesPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAppServicesPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventGridTopicsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventGridTopicsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDiskAccessPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDiskAccessPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCognitiveServicesPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCognitiveServicesPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotHubsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotHubsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventGridDomainsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventGridDomainsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureRedisCachePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureRedisCachePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAcrPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAcrPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventHubNamespacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventHubNamespacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMachineLearningWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMachineLearningWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMachineLearningWorkspaceSecondPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureServiceBusNamespacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureServiceBusNamespacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCognitiveSearchPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCognitiveSearchPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-BotService\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6a4e6f44-f2af-4082-9702-033c9e88b9f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureBotServicePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureBotServicePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ManagedGrafanaWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4c8537f8-cd1b-49ec-b704-18e82a42fd58\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureManagedGrafanaWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureManagedGrafanaWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureVirtualDesktopHostpoolPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureVirtualDesktopWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTDeviceupdate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotDeviceupdatePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotDeviceupdatePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Arc\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9\",\n \"parameters\":{\n \"privateDnsZoneIDForGuestConfiguration\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureArcGuestconfigurationPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureArcGuestconfigurationPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneIDForHybridResourceProvider\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureArcHybridResourceProviderPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureArcHybridResourceProviderPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneIDForKubernetesConfiguration\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureArcKubernetesConfigurationPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureArcKubernetesConfigurationPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTCentral\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d627d7c6-ded5-481a-8f2e-7e16b1e6faf6\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotCentralPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotCentralPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageTablePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageTablePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageTableSecondaryPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageTableSecondaryPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSiteRecoveryBackupPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSiteRecoveryBackupPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSiteRecoveryBlobPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSiteRecoveryBlobPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSiteRecoveryQueuePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSiteRecoveryQueuePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#42": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"3.1.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"HealthcareAPIsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\",\n \"description\": \"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n },\n \"AutomationAccountCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"BackupCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"osAndDataDiskCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerInstanceCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"eventHubPremiumCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlManagedCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageTableCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsEncryptionCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageQueueCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"botServiceCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"audit\",\n \"Deny\",\n \"deny\",\n \"Disabled\",\n \"disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HealthcareAPIsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('HealthcareAPIsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationAccountCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671\",\n \"policyDefinitionReferenceId\": \"Deny-Backup-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BackupCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0\",\n \"policyDefinitionReferenceId\": \"Deny-OsAndDataDisk-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('osAndDataDiskCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Premium-CMK\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubPremiumCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Table-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageTableCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Encryption-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsEncryptionCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Queue-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageQueueCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/51522a96-0869-4791-82f3-981000c2c67f\",\n \"policyDefinitionReferenceId\": \"Deny-BotService-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServiceCmk')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#43": "{\n \"name\": \"Enforce-ACSB\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce Azure Compute Security Benchmark compliance auditing\",\n \"description\": \"Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Guest Configuration\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"includeArcMachines\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"metadata\": {\n \"displayName\": \"Include Arc connected servers\",\n \"description\": \"By selecting this option, you agree to be charged monthly per Arc connected machine.\"\n },\n \"defaultValue\": \"true\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"GcIdentity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#40": "{\n \"name\": \"Deploy-MDFC-Config_20240319\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"2.2.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-MDFC-Config\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"createResourceGroup\":{\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Create resource group\",\n \"description\": \"If a resource group does not exists in the scope, a new resource group will be created. If the resource group exists and this flag is set to 'true' the policy will re-deploy the resource group. Please note this will reset any Azure Tag on the resource group.\"\n },\n \"defaultValue\": true,\n \"allowedValues\": [\n true,\n false\n ]\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"mdeTvm\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableTvmCheck\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72f8cee7-2937-403d-84a1-a4e3e57f3c21\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"createResourceGroup\": {\n \"value\": \"[[parameters('createResourceGroup')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableTvmCheck')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#41": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"2.4.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"dnsZoneSubscriptionId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Subscription Id\",\n \"description\": \"The subscription id where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified.\"\n }\n },\n \"dnsZoneResourceGroupName\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Resource Group Name\",\n \"description\": \"The resource group where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified.\"\n }\n },\n \"dnsZoneResourceType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Microsoft.Network/privateDnsZones\",\n \"metadata\": {\n \"displayName\": \"Resource Type\",\n \"description\": \"The resource type where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified.\"\n }\n },\n \"dnsZoneRegion\": {\n \"type\": \"string\",\n \"defaultValue\": \"changeme\",\n \"metadata\": {\n \"displayName\": \"Region\",\n \"description\": \"The region where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified.\"\n }\n },\n \"dnzZoneRegionShortNames\": {\n \"type\": \"object\",\n \"defaultValue\": {\n \"changeme\": \"changeme\",\n \"australiacentral\" : \"acl\",\n \"australiacentral2\" : \"acl2\",\n \"australiaeast\" : \"ae\",\n \"australiasoutheast\" : \"ase\",\n \"brazilsoutheast\" : \"bse\",\n \"brazilsouth\" : \"brs\",\n \"canadacentral\" : \"cnc\",\n \"canadaeast\" : \"cne\",\n \"centralindia\" : \"inc\",\n \"centralus\" : \"cus\",\n \"centraluseuap\" : \"ccy\",\n \"chilecentral\" : \"clc\",\n \"eastasia\" : \"ea\",\n \"eastus\" : \"eus\",\n \"eastus2\" : \"eus2\",\n \"eastus2euap\" : \"ecy\",\n \"francecentral\" : \"frc\",\n \"francesouth\" : \"frs\",\n \"germanynorth\" : \"gn\",\n \"germanywestcentral\" : \"gwc\",\n \"israelcentral\" : \"ilc\",\n \"italynorth\" : \"itn\",\n \"japaneast\" : \"jpe\",\n \"japanwest\" : \"jpw\",\n \"koreacentral\" : \"krc\",\n \"koreasouth\" : \"krs\",\n \"malaysiasouth\" : \"mys\",\n \"malaysiawest\" : \"myw\",\n \"mexicocentral\" : \"mxc\",\n \"newzealandnorth\" : \"nzn\",\n \"northcentralus\" : \"ncus\",\n \"northeurope\" : \"ne\",\n \"norwayeast\" : \"nwe\",\n \"norwaywest\" : \"nww\",\n \"polandcentral\" : \"plc\",\n \"qatarcentral\" : \"qac\",\n \"southafricanorth\" : \"san\",\n \"southafricawest\" : \"saw\",\n \"southcentralus\" : \"scus\",\n \"southeastasia\" : \"sea\",\n \"southindia\" : \"ins\",\n \"spaincentral\" : \"spc\",\n \"swedencentral\" : \"sdc\",\n \"swedensouth\" : \"sds\",\n \"switzerlandnorth\" : \"szn\",\n \"switzerlandwest\" : \"szw\",\n \"taiwannorth\" : \"twn\",\n \"uaecentral\" : \"uac\",\n \"uaenorth\" : \"uan\",\n \"uksouth\" : \"uks\",\n \"ukwest\" : \"ukw\",\n \"westcentralus\" : \"wcus\",\n \"westeurope\" : \"we\",\n \"westindia\" : \"inw\",\n \"westus\" : \"wus\",\n \"westus2\" : \"wus2\",\n \"westus3\" : \"wus3\"\n },\n \"metadata\": {\n \"displayName\": \"Region Short Name Mapping\",\n \"description\": \"Mapping of region to private DNS zone resource id. If the region is not specified, the default private DNS zone resource id will be used.\"\n }\n },\n \"dnsZoneNames\": {\n \"type\": \"object\",\n \"defaultValue\": {\n \"azureAcrPrivateDnsZoneId\": \"privatelink.azurecr.io\",\n \"azureAcrDataPrivateDnsZoneId\": \"{regionName}.data.privatelink.azurecr.io\",\n \"azureAppPrivateDnsZoneId\": \"privatelink.azconfig.io\",\n \"azureAppServicesPrivateDnsZoneId\": \"privatelink.azurewebsites.net\",\n \"azureArcGuestconfigurationPrivateDnsZoneId\": \"privatelink.guestconfiguration.azure.com\",\n \"azureArcHybridResourceProviderPrivateDnsZoneId\": \"privatelink.his.arc.azure.com\",\n \"azureArcKubernetesConfigurationPrivateDnsZoneId\": \"privatelink.dp.kubernetesconfiguration.azure.com\",\n \"azureAsrPrivateDnsZoneId\": \"privatelink.siterecovery.windowsazure.com\",\n \"azureAutomationDSCHybridPrivateDnsZoneId\": \"privatelink.azure-automation.net\",\n \"azureAutomationWebhookPrivateDnsZoneId\": \"privatelink.azure-automation.net\",\n \"azureBatchPrivateDnsZoneId\": \"privatelink.batch.azure.com\",\n \"azureBotServicePrivateDnsZoneId\": \"privatelink.directline.botframework.com\",\n \"azureCognitiveSearchPrivateDnsZoneId\": \"privatelink.search.windows.net\",\n \"azureCognitiveServicesPrivateDnsZoneId\": \"privatelink.cognitiveservices.azure.com\",\n \"azureCosmosCassandraPrivateDnsZoneId\": \"privatelink.cassandra.cosmos.azure.com\",\n \"azureCosmosGremlinPrivateDnsZoneId\": \"privatelink.gremlin.cosmos.azure.com\",\n \"azureCosmosMongoPrivateDnsZoneId\": \"privatelink.mongo.cosmos.azure.com\",\n \"azureCosmosSQLPrivateDnsZoneId\": \"privatelink.documents.azure.com\",\n \"azureCosmosTablePrivateDnsZoneId\": \"privatelink.table.cosmos.azure.com\",\n \"azureDataExplorerPrivateDnsZoneId\": \"privatelink.{regionName}.kusto.windows.net\",\n \"azureDataFactoryPortalPrivateDnsZoneId\": \"privatelink.adf.azure.com\",\n \"azureDataFactoryPrivateDnsZoneId\": \"privatelink.datafactory.azure.net\",\n \"azureDatabricksPrivateDnsZoneId\": \"privatelink.azuredatabricks.net\",\n \"azureDiskAccessPrivateDnsZoneId\": \"privatelink.blob.core.windows.net\",\n \"azureEventGridDomainsPrivateDnsZoneId\": \"privatelink.eventgrid.azure.net\",\n \"azureEventGridTopicsPrivateDnsZoneId\": \"privatelink.eventgrid.azure.net\",\n \"azureEventHubNamespacePrivateDnsZoneId\": \"privatelink.servicebus.windows.net\",\n \"azureFilePrivateDnsZoneId\": \"privatelink.afs.azure.net\",\n \"azureHDInsightPrivateDnsZoneId\": \"privatelink.azurehdinsight.net\",\n \"azureIotCentralPrivateDnsZoneId\": \"privatelink.azureiotcentral.com\",\n \"azureIotDeviceupdatePrivateDnsZoneId\": \"privatelink.azure-devices.net\",\n \"azureIotHubsPrivateDnsZoneId\": \"privatelink.azure-devices.net\",\n \"azureIotPrivateDnsZoneId\": \"privatelink.azure-devices-provisioning.net\",\n \"azureKeyVaultPrivateDnsZoneId\": \"privatelink.vaultcore.azure.net\",\n \"azureKubernetesManagementPrivateDnsZoneId\": \"privatelink.{regionName}.azmk8s.io\",\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": \"privatelink.api.azureml.ms\",\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": \"privatelink.notebooks.azure.net\",\n \"azureManagedGrafanaWorkspacePrivateDnsZoneId\": \"privatelink.grafana.azure.com\",\n \"azureMediaServicesKeyPrivateDnsZoneId\": \"privatelink.media.azure.net\",\n \"azureMediaServicesLivePrivateDnsZoneId\": \"privatelink.media.azure.net\",\n \"azureMediaServicesStreamPrivateDnsZoneId\": \"privatelink.media.azure.net\",\n \"azureMigratePrivateDnsZoneId\": \"privatelink.prod.migration.windowsazure.com\",\n \"azureMonitorPrivateDnsZoneId1\": \"privatelink.monitor.azure.com\",\n \"azureMonitorPrivateDnsZoneId2\": \"privatelink.oms.opinsights.azure.com\",\n \"azureMonitorPrivateDnsZoneId3\": \"privatelink.ods.opinsights.azure.com\",\n \"azureMonitorPrivateDnsZoneId4\": \"privatelink.agentsvc.azure-automation.net\",\n \"azureMonitorPrivateDnsZoneId5\": \"privatelink.blob.core.windows.net\",\n \"azureRedisCachePrivateDnsZoneId\": \"privatelink.redis.cache.windows.net\",\n \"azureServiceBusNamespacePrivateDnsZoneId\": \"privatelink.servicebus.windows.net\",\n \"azureSignalRPrivateDnsZoneId\": \"privatelink.service.signalr.net\",\n \"azureSiteRecoveryBackupPrivateDnsZoneId\": \"privatelink.{regionCode}.backup.windowsazure.com\",\n \"azureSiteRecoveryBlobPrivateDnsZoneId\": \"privatelink.blob.core.windows.net\",\n \"azureSiteRecoveryQueuePrivateDnsZoneId\": \"privatelink.queue.core.windows.net\",\n \"azureStorageBlobPrivateDnsZoneId\": \"privatelink.blob.core.windows.net\",\n \"azureStorageBlobSecPrivateDnsZoneId\": \"privatelink.blob.core.windows.net\",\n \"azureStorageDFSPrivateDnsZoneId\": \"privatelink.dfs.core.windows.net\",\n \"azureStorageDFSSecPrivateDnsZoneId\": \"privatelink.dfs.core.windows.net\",\n \"azureStorageFilePrivateDnsZoneId\": \"privatelink.file.core.windows.net\",\n \"azureStorageQueuePrivateDnsZoneId\": \"privatelink.queue.core.windows.net\",\n \"azureStorageQueueSecPrivateDnsZoneId\": \"privatelink.queue.core.windows.net\",\n \"azureStorageStaticWebPrivateDnsZoneId\": \"privatelink.web.core.windows.net\",\n \"azureStorageStaticWebSecPrivateDnsZoneId\": \"privatelink.web.core.windows.net\",\n \"azureStorageTablePrivateDnsZoneId\": \"privatelink.table.core.windows.net\",\n \"azureStorageTableSecondaryPrivateDnsZoneId\": \"privatelink.table.core.windows.net\",\n \"azureSynapseDevPrivateDnsZoneId\": \"privatelink.dev.azuresynapse.net\",\n \"azureSynapseSQLPrivateDnsZoneId\": \"privatelink.sql.azuresynapse.net\",\n \"azureSynapseSQLODPrivateDnsZoneId\": \"privatelink.sql.azuresynapse.net\",\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": \"privatelink.wvd.microsoft.com\",\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": \"privatelink.wvd.microsoft.com\",\n \"azureWebPrivateDnsZoneId\": \"privatelink.webpubsub.azure.com\"\n },\n \"metadata\": {\n \"displayName\": \"DNS Zone Names\",\n \"description\": \"The list of private DNS zone names to be used for the Azure PaaS services.\"\n }\n },\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDatabricksPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDatabricksPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureHDInsightPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMigratePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMigratePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueueSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueueSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesKeyPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesKeyPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesLivePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesLivePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesStreamPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesStreamPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBotServicePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBotServicePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureManagedGrafanaWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureManagedGrafanaWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotDeviceupdatePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotDeviceupdatePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcGuestconfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcGuestconfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcHybridResourceProviderPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcHybridResourceProviderPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcKubernetesConfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcKubernetesConfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotCentralPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotCentralPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureFilePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureFilePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAutomationWebhookPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAutomationWebhookPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAutomationDSCHybridPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAutomationDSCHybridPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosSQLPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosSQLPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosMongoPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosMongoPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosCassandraPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosCassandraPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosGremlinPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosGremlinPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosTablePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosTablePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDataFactoryPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDataFactoryPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDataFactoryPortalPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDataFactoryPortalPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-UI-Api\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDatabricksPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDatabricksPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"databricks_ui_api\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-Browser-AuthN\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDatabricksPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDatabricksPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"browser_authentication\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureHDInsightPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureHDInsightPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Migrate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMigratePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMigratePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageBlobPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageBlobPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageBlobSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageBlobSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageQueuePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageQueuePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageQueueSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageQueueSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageFilePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageFilePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageStaticWebPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageStaticWebPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageStaticWebSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageStaticWebSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageDFSPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageDFSPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageDFSSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageDFSSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseSQLPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseSQLPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseSQLODPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseSQLODPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseDevPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseDevPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Key\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesKeyPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesKeyPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"keydelivery\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Live\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesLivePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesLivePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"liveevent\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Stream\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesStreamPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesStreamPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"streamingendpoint\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId1'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId1, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId2'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId2, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId3'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId3, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId4'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId4, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId5'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId5, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureWebPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureWebPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureBatchPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureBatchPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAppPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAppPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAsrPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAsrPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureKeyVaultPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureKeyVaultPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSignalRPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSignalRPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAppServicesPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAppServicesPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventGridTopicsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventGridTopicsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDiskAccessPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDiskAccessPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCognitiveServicesPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCognitiveServicesPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotHubsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotHubsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventGridDomainsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventGridDomainsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureRedisCachePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureRedisCachePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAcrPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAcrPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventHubNamespacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventHubNamespacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMachineLearningWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMachineLearningWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMachineLearningWorkspaceSecondPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureServiceBusNamespacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureServiceBusNamespacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCognitiveSearchPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCognitiveSearchPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-BotService\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6a4e6f44-f2af-4082-9702-033c9e88b9f8\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureBotServicePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureBotServicePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ManagedGrafanaWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4c8537f8-cd1b-49ec-b704-18e82a42fd58\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureManagedGrafanaWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureManagedGrafanaWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureVirtualDesktopHostpoolPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureVirtualDesktopWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTDeviceupdate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotDeviceupdatePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotDeviceupdatePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Arc\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\":{\n \"privateDnsZoneIDForGuestConfiguration\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureArcGuestconfigurationPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureArcGuestconfigurationPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneIDForHybridResourceProvider\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureArcHybridResourceProviderPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureArcHybridResourceProviderPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneIDForKubernetesConfiguration\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureArcKubernetesConfigurationPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureArcKubernetesConfigurationPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTCentral\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d627d7c6-ded5-481a-8f2e-7e16b1e6faf6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotCentralPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotCentralPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageTablePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageTablePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageTableSecondaryPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageTableSecondaryPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSiteRecoveryBackupPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSiteRecoveryBackupPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSiteRecoveryBlobPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSiteRecoveryBlobPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSiteRecoveryQueuePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSiteRecoveryQueuePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#42": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"3.2.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"HealthcareAPIsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\",\n \"description\": \"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n },\n \"AutomationAccountCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"BackupCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"osAndDataDiskCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerInstanceCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"eventHubPremiumCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlManagedCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageTableCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsEncryptionCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageQueueCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"botServiceCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"audit\",\n \"Deny\",\n \"deny\",\n \"Disabled\",\n \"disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HealthcareAPIsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('HealthcareAPIsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationAccountCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671\",\n \"policyDefinitionReferenceId\": \"Deny-Backup-Cmk\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BackupCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0\",\n \"policyDefinitionReferenceId\": \"Deny-OsAndDataDisk-Cmk\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('osAndDataDiskCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Premium-CMK\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubPremiumCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Cmk\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Table-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageTableCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Encryption-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsEncryptionCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Queue-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageQueueCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/51522a96-0869-4791-82f3-981000c2c67f\",\n \"policyDefinitionReferenceId\": \"Deny-BotService-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServiceCmk')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#43": "{\n \"name\": \"Enforce-ACSB\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce Azure Compute Security Benchmark compliance auditing\",\n \"description\": \"Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Guest Configuration\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"includeArcMachines\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"metadata\": {\n \"displayName\": \"Include Arc connected servers\",\n \"description\": \"By selecting this option, you agree to be charged monthly per Arc connected machine.\"\n },\n \"defaultValue\": \"true\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"GcIdentity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da\",\n \"definitionVersion\": \"3.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#44": "{\n \"name\": \"Deploy-MDFC-DefenderSQL-AMA\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Configure SQL VM and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LAW\",\n \"description\": \"Initiative is deprecated as the built-in initiative now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/de01d381-bae9-4670-8870-786f89f49e26.html\",\n \"metadata\": {\n \"version\": \"1.0.1-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"de01d381-bae9-4670-8870-786f89f49e26\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace Resource Id\",\n \"description\": \"Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable collection of SQL queries for security research\",\n \"description\": \"Enable or disable the collection of SQL queries for security research.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"identityResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Identity Resource Group\",\n \"description\": \"The name of the resource group created by the policy.\"\n },\n \"defaultValue\": \"\"\n },\n \"userAssignedIdentityName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User Assigned Managed Identity Name\",\n \"description\": \"The name of the user assigned managed identity.\"\n },\n \"defaultValue\": \"\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3592ff98-9787-443a-af59-4505d0fe0786\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65503269-6a54-4553-8a28-0065a8e6d929\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-Sql-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcDcrAssociation\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"identityResourceGroup\": {\n \"value\": \"[[parameters('identityResourceGroup')]\"\n },\n \"userAssignedIdentityName\": {\n \"value\": \"[[parameters('userAssignedIdentityName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Disabled\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#45": "{\n \"name\": \"Enforce-Backup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce enhanced recovery and backup policies\",\n \"description\": \"Enforce enhanced recovery and backup policies on assigned scopes.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Backup\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"checkLockedImmutabilityOnly\",\n \"description\": \"This parameter checks if Immutability is locked for Backup Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"CheckAlwaysOnSoftDeleteOnly\",\n \"description\": \"This parameter checks if Soft Delete is 'Locked' for Backup Vaults in scope. Selecting 'true' will mark only vaults with Soft Delete 'AlwaysOn' as compliant. Selecting 'false' will mark vaults that have Soft Delete either 'On' or 'AlwaysOn' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2514263b-bc0d-4b06-ac3e-f262c0979018\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabiltyOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6f6f560-14b7-49a4-9fc8-d2c3a9807868\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9798d31d-6028-4dee-8643-46102185c016\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/31b8092a-36b8-434b-9af7-5ec844364148\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c58e083e-7982-4e24-afdc-be14d312389e\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c7031eab-0fc0-4cd9-acd0-4497bd66d91a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#45": "{\n \"name\": \"Enforce-Backup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce enhanced recovery and backup policies\",\n \"description\": \"Enforce enhanced recovery and backup policies on assigned scopes.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Backup\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"checkLockedImmutabilityOnly\",\n \"description\": \"This parameter checks if Immutability is locked for Backup Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"CheckAlwaysOnSoftDeleteOnly\",\n \"description\": \"This parameter checks if Soft Delete is 'Locked' for Backup Vaults in scope. Selecting 'true' will mark only vaults with Soft Delete 'AlwaysOn' as compliant. Selecting 'false' will mark vaults that have Soft Delete either 'On' or 'AlwaysOn' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2514263b-bc0d-4b06-ac3e-f262c0979018\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabiltyOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6f6f560-14b7-49a4-9fc8-d2c3a9807868\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9798d31d-6028-4dee-8643-46102185c016\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/31b8092a-36b8-434b-9af7-5ec844364148\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c58e083e-7982-4e24-afdc-be14d312389e\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c7031eab-0fc0-4cd9-acd0-4497bd66d91a\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#46": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#47": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#48": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#49": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-File-Sync\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-Web\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-KeyVault\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#5": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.3\",\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageMinimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#5": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.3\",\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageMinimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"definitionVersion\": \"8.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"definitionVersion\": \"4.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"definitionVersion\": \"5.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#50": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#51": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#52": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#53": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccounts\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#54": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#55": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#6": "{\n \"name\": \"Enforce-ALZ-Decomm\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Decommissioned Landing Zone\",\n \"description\": \"Enforce policies in the Decommissioned Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Decommissioned\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [ \n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesAllowed\":{\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Allowed resource types in the Decommissioned landing zone\",\n \"description\": \"Allowed resource types in the Decommissioned landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DecomDenyResources\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\n \"parameters\": {\n \"listOfResourceTypesAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DecomShutdownMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }\n ", - "$fxv#7": "{\n \"name\": \"Enforce-ALZ-Sandbox\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Sandbox Landing Zone\",\n \"description\": \"Enforce policies in the Sandbox Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Sandbox\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesNotAllowed\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Not allowed resource types in the Sandbox landing zone\",\n \"description\": \"Not allowed resource types in the Sandbox landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n },\n \"effectNotAllowedResources\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectDenyVnetPeering\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SandboxNotAllowed\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectNotAllowedResources')]\"\n },\n \"listOfResourceTypesNotAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesNotAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SandboxDenyVnetPeering\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDenyVnetPeering')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#8": "{\n \"name\": \"DenyAction-DeleteProtection\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"DenyAction Delete - Activity Log Settings and Diagnostic Settings\",\n \"description\": \"Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-DiagnosticSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-ActivityLogSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#9": "{\n \"name\": \"Deploy-AUM-CheckUpdates\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines\",\n \"description\": \"Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"assessmentMode\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Assessment mode\",\n \"description\": \"Assessment mode for the machines.\"\n },\n \"allowedValues\": [\n \"ImageDefault\",\n \"AutomaticByPlatform\"\n ],\n \"defaultValue\": \"AutomaticByPlatform\"\n },\n \"locations\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Machines locations\",\n \"description\": \"The list of locations from which machines need to be targeted.\",\n \"strongType\": \"location\"\n },\n \"defaultValue\": []\n },\n \"tagValues\": {\n \"type\": \"Object\",\n \"metadata\": {\n \"displayName\": \"Tags on machines\",\n \"description\": \"The list of tags that need to matched for getting target machines.\"\n },\n \"defaultValue\": {}\n },\n \"tagOperator\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Tag operator\",\n \"description\": \"Matching condition for resource tags\"\n },\n \"allowedValues\": [\n \"All\",\n \"Any\"\n ],\n \"defaultValue\": \"Any\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#6": "{\n \"name\": \"Enforce-ALZ-Decomm\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Decommissioned Landing Zone\",\n \"description\": \"Enforce policies in the Decommissioned Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Decommissioned\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [ \n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesAllowed\":{\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Allowed resource types in the Decommissioned landing zone\",\n \"description\": \"Allowed resource types in the Decommissioned landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DecomDenyResources\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"listOfResourceTypesAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DecomShutdownMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }\n ", + "$fxv#7": "{\n \"name\": \"Enforce-ALZ-Sandbox\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Sandbox Landing Zone\",\n \"description\": \"Enforce policies in the Sandbox Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Sandbox\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesNotAllowed\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Not allowed resource types in the Sandbox landing zone\",\n \"description\": \"Not allowed resource types in the Sandbox landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n },\n \"effectNotAllowedResources\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectDenyVnetPeering\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SandboxNotAllowed\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectNotAllowedResources')]\"\n },\n \"listOfResourceTypesNotAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesNotAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SandboxDenyVnetPeering\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDenyVnetPeering')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#8": "{\n \"name\": \"DenyAction-DeleteProtection\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"DenyAction Delete - Activity Log Settings and Diagnostic Settings\",\n \"description\": \"Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-DiagnosticSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-ActivityLogSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#9": "{\n \"name\": \"Deploy-AUM-CheckUpdates\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines\",\n \"description\": \"Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"assessmentMode\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Assessment mode\",\n \"description\": \"Assessment mode for the machines.\"\n },\n \"allowedValues\": [\n \"ImageDefault\",\n \"AutomaticByPlatform\"\n ],\n \"defaultValue\": \"AutomaticByPlatform\"\n },\n \"locations\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Machines locations\",\n \"description\": \"The list of locations from which machines need to be targeted.\",\n \"strongType\": \"location\"\n },\n \"defaultValue\": []\n },\n \"tagValues\": {\n \"type\": \"Object\",\n \"metadata\": {\n \"displayName\": \"Tags on machines\",\n \"description\": \"The list of tags that need to matched for getting target machines.\"\n },\n \"defaultValue\": {}\n },\n \"tagOperator\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Tag operator\",\n \"description\": \"Matching condition for resource tags\"\n },\n \"allowedValues\": [\n \"All\",\n \"Any\"\n ],\n \"defaultValue\": \"Any\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "cloudEnv": "[environment().name]", "defaultDeploymentLocationByCloudType": { "AzureCloud": "northeurope", diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json index cb10857da3..234ae14a6f 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.31.92.45157", - "templateHash": "15835468158012758308" + "version": "0.31.34.60546", + "templateHash": "17509495146756258439" } }, "parameters": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Audit-TrustedLaunch.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Audit-TrustedLaunch.json index 324ce38f97..12d199c95a 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Audit-TrustedLaunch.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Audit-TrustedLaunch.json @@ -8,7 +8,7 @@ "displayName": "Audit virtual machines for Trusted Launch support", "description": "Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Trusted Launch", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -36,6 +36,7 @@ { "policyDefinitionReferenceId": "AuditDisksOsTrustedLaunch", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b03bb370-5249-4ea4-9fce-2552e87e45fa", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('effect')]" @@ -46,6 +47,7 @@ { "policyDefinitionReferenceId": "AuditTrustedLaunchEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c95b54ad-0614-4633-ab29-104b01235cbf", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('effect')]" diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Audit-UnusedResourcesCostOptimization.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Audit-UnusedResourcesCostOptimization.json index 3c4c556a1a..1490d20e1a 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Audit-UnusedResourcesCostOptimization.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Audit-UnusedResourcesCostOptimization.json @@ -8,7 +8,7 @@ "displayName": "Unused resources driving cost should be avoided", "description": "Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost.", "metadata": { - "version": "2.0.0", + "version": "2.1.0", "category": "Cost Optimization", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -59,6 +59,7 @@ { "policyDefinitionReferenceId": "AuditDisksUnusedResourcesCostOptimization", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('effectDisks')]" @@ -69,6 +70,7 @@ { "policyDefinitionReferenceId": "AuditPublicIpAddressesUnusedResourcesCostOptimization", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('effectPublicIpAddresses')]" @@ -79,6 +81,7 @@ { "policyDefinitionReferenceId": "AuditServerFarmsUnusedResourcesCostOptimization", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('effectServerFarms')]" @@ -89,6 +92,7 @@ { "policyDefinitionReferenceId": "AuditAzureHybridBenefitUnusedResourcesCostOptimization", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "Audit" diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json index 6ce59a69ee..50db605deb 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json @@ -8,7 +8,7 @@ "displayName": "Public network access should be disabled for PaaS services", "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints", "metadata": { - "version": "5.1.0", + "version": "5.2.0", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -520,6 +520,7 @@ { "policyDefinitionReferenceId": "CosmosDenyPaasPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('CosmosPublicIpDenyEffect')]" @@ -530,6 +531,7 @@ { "policyDefinitionReferenceId": "KeyVaultDenyPaasPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('KeyVaultPublicIpDenyEffect')]" @@ -540,6 +542,7 @@ { "policyDefinitionReferenceId": "SqlServerDenyPaasPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('SqlServerPublicIpDenyEffect')]" @@ -550,6 +553,7 @@ { "policyDefinitionReferenceId": "StorageDenyPaasPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('StoragePublicIpDenyEffect')]" @@ -560,6 +564,7 @@ { "policyDefinitionReferenceId": "AKSDenyPaasPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('AKSPublicIpDenyEffect')]" @@ -570,6 +575,7 @@ { "policyDefinitionReferenceId": "ACRDenyPaasPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('ACRPublicIpDenyEffect')]" @@ -580,6 +586,7 @@ { "policyDefinitionReferenceId": "AFSDenyPaasPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('AFSPublicIpDenyEffect')]" @@ -590,6 +597,7 @@ { "policyDefinitionReferenceId": "PostgreSQLFlexDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48", + "definitionVersion": "3.*.*", "parameters": { "effect": { "value": "[[parameters('PostgreSQLFlexPublicIpDenyEffect')]" @@ -600,6 +608,7 @@ { "policyDefinitionReferenceId": "Deny-PostgreSql-Public-Network-Access", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -610,6 +619,7 @@ { "policyDefinitionReferenceId": "MySQLFlexDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052", + "definitionVersion": "2.*.*", "parameters": { "effect": { "value": "[[parameters('MySQLFlexPublicIpDenyEffect')]" @@ -620,6 +630,7 @@ { "policyDefinitionReferenceId": "BatchDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('BatchPublicIpDenyEffect')]" @@ -630,6 +641,7 @@ { "policyDefinitionReferenceId": "MariaDbDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077", + "definitionVersion": "2.*.*", "parameters": { "effect": { "value": "[[parameters('MariaDbPublicIpDenyEffect')]" @@ -640,6 +652,7 @@ { "policyDefinitionReferenceId": "MlDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce", + "definitionVersion": "2.*.*", "parameters": { "effect": { "value": "[[parameters('MlPublicIpDenyEffect')]" @@ -650,6 +663,7 @@ { "policyDefinitionReferenceId": "RedisCacheDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('RedisCachePublicIpDenyEffect')]" @@ -660,6 +674,7 @@ { "policyDefinitionReferenceId": "BotServiceDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('BotServicePublicIpDenyEffect')]" @@ -670,6 +685,7 @@ { "policyDefinitionReferenceId": "AutomationDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('AutomationPublicIpDenyEffect')]" @@ -680,6 +696,7 @@ { "policyDefinitionReferenceId": "AppConfigDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('AppConfigPublicIpDenyEffect')]" @@ -690,6 +707,7 @@ { "policyDefinitionReferenceId": "FunctionDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('FunctionPublicIpDenyEffect')]" @@ -700,6 +718,7 @@ { "policyDefinitionReferenceId": "FunctionAppSlotsDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/11c82d0c-db9f-4d7b-97c5-f3f9aa957da2", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('FunctionAppSlotPublicIpDenyEffect')]" @@ -710,6 +729,7 @@ { "policyDefinitionReferenceId": "AseDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3", + "definitionVersion": "3.*.*", "parameters": { "effect": { "value": "[[parameters('AsePublicIpDenyEffect')]" @@ -720,6 +740,7 @@ { "policyDefinitionReferenceId": "AsDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('AsPublicIpDenyEffect')]" @@ -730,6 +751,7 @@ { "policyDefinitionReferenceId": "ApiManDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('ApiManPublicIpDenyEffect')]" @@ -740,6 +762,7 @@ { "policyDefinitionReferenceId": "ContainerAppsEnvironmentDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('ContainerAppsEnvironmentDenyEffect')]" @@ -750,6 +773,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/783ea2a8-b8fd-46be-896a-9ae79643a0b1", "policyDefinitionReferenceId": "Deny-ContainerApps-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -760,6 +784,7 @@ { "policyDefinitionReferenceId": "AsrVaultDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9ebbbba3-4d65-4da9-bb67-b22cfaaff090", + "definitionVersion": "1.*.*-preview", "parameters": { "effect": { "value": "[[parameters('AsrVaultDenyEffect')]" @@ -770,6 +795,7 @@ { "policyDefinitionReferenceId": "Deny-LogicApp-Public-Network-Access", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -780,6 +806,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/701a595d-38fb-4a66-ae6d-fb3735217622", "policyDefinitionReferenceId": "Deny-AppSlots-Public", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -790,6 +817,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3", "policyDefinitionReferenceId": "Deny-CognitiveSearch-PublicEndpoint", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -800,6 +828,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8405fdab-1faf-48aa-b702-999c9c172094", "policyDefinitionReferenceId": "Deny-ManagedDisk-Public-Network-Access", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -810,6 +839,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/43bc7be6-5e69-4b0d-a2bb-e815557ca673", "policyDefinitionReferenceId": "Deny-ADX-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -820,6 +850,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6", "policyDefinitionReferenceId": "Deny-Adf-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -830,6 +861,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8f774be-6aee-492a-9e29-486ef81f3a68", "policyDefinitionReferenceId": "Deny-EventGrid-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -840,6 +872,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1adadefe-5f21-44f7-b931-a59b54ccdb45", "policyDefinitionReferenceId": "Deny-EventGrid-Topic-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -850,6 +883,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0602787f-9896-402a-a6e1-39ee63ee435e", "policyDefinitionReferenceId": "Deny-EH-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -860,6 +894,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/19ea9d63-adee-4431-a95e-1913c6c1c75f", "policyDefinitionReferenceId": "Deny-KV-Hms-PublicNetwork", + "definitionVersion": "1.*.*-preview", "groupNames": [], "parameters": { "effect": { @@ -870,6 +905,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095", "policyDefinitionReferenceId": "Deny-MySql-Public-Network-Access", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -880,6 +916,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", "policyDefinitionReferenceId": "Deny-Cognitive-Services-Public-Network-Access", + "definitionVersion": "3.*.*", "groupNames": [], "parameters": { "effect": { @@ -890,6 +927,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3", "policyDefinitionReferenceId": "Deny-Cognitive-Services-Network-Access", + "definitionVersion": "3.*.*", "groupNames": [], "parameters": { "effect": { @@ -900,6 +938,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cbd11fd3-3002-4907-b6c8-579f0e700e13", "policyDefinitionReferenceId": "Deny-Sb-PublicEndpoint", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -910,6 +949,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91", "policyDefinitionReferenceId": "Deny-Sql-Managed-Public-Endpoint", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -920,6 +960,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751", "policyDefinitionReferenceId": "Deny-Storage-Public-Access", + "definitionVersion": "3.*.*-preview", "groupNames": [], "parameters": { "effect": { @@ -930,6 +971,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/38d8df46-cf4e-4073-8e03-48c24b29de0d", "policyDefinitionReferenceId": "Deny-Synapse-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -940,6 +982,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/87ac3038-c07a-4b92-860d-29e270a4f3cd", "policyDefinitionReferenceId": "Deny-Workspace-PublicNetworkAccess", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -950,6 +993,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c25dcf31-878f-4eba-98eb-0818fdc6a334", "policyDefinitionReferenceId": "Deny-Hostpool-PublicNetworkAccess", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -960,6 +1004,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8775d5a-73b7-4977-a39b-833ef0114628", "policyDefinitionReferenceId": "Deny-Grafana-PublicNetworkAccess", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/DenyAction-DeleteProtection.json b/src/resources/Microsoft.Authorization/policySetDefinitions/DenyAction-DeleteProtection.json index 5bd4ca7e1b..bba71fab16 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/DenyAction-DeleteProtection.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/DenyAction-DeleteProtection.json @@ -8,7 +8,7 @@ "displayName": "DenyAction Delete - Activity Log Settings and Diagnostic Settings", "description": "Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -22,12 +22,14 @@ { "policyDefinitionReferenceId": "DenyActionDelete-DiagnosticSettings", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs", + "definitionVersion": "1.*.*", "parameters": {}, "groupNames": [] }, { "policyDefinitionReferenceId": "DenyActionDelete-ActivityLogSettings", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs", + "definitionVersion": "1.*.*", "parameters": {}, "groupNames": [] } diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-AUM-CheckUpdates.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-AUM-CheckUpdates.json index 21d11434e9..d0d228dd31 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-AUM-CheckUpdates.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-AUM-CheckUpdates.json @@ -8,7 +8,7 @@ "displayName": "Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines", "description": "Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Security Center", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -62,6 +62,7 @@ { "policyDefinitionReferenceId": "azureUpdateManagerVmCheckUpdateWindows", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15", + "definitionVersion": "4.*.*", "parameters": { "assessmentMode": { "value": "[[parameters('assessmentMode')]" @@ -84,6 +85,7 @@ { "policyDefinitionReferenceId": "azureUpdateManagerVmCheckUpdateLinux", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15", + "definitionVersion": "4.*.*", "parameters": { "assessmentMode": { "value": "[[parameters('assessmentMode')]" @@ -106,6 +108,7 @@ { "policyDefinitionReferenceId": "azureUpdateManagerVmArcCheckUpdateWindows", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46", + "definitionVersion": "2.*.*", "parameters": { "assessmentMode": { "value": "[[parameters('assessmentMode')]" @@ -128,6 +131,7 @@ { "policyDefinitionReferenceId": "azureUpdateManagerVmArcCheckUpdateLinux", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46", + "definitionVersion": "2.*.*", "parameters": { "assessmentMode": { "value": "[[parameters('assessmentMode')]" diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config_20240319.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config_20240319.json index d87b4d22e8..e41c91ec44 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config_20240319.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config_20240319.json @@ -8,7 +8,7 @@ "displayName": "Deploy Microsoft Defender for Cloud configuration", "description": "Deploy Microsoft Defender for Cloud configuration", "metadata": { - "version": "2.1.0", + "version": "2.2.0", "category": "Security Center", "source": "https://github.com/Azure/Enterprise-Scale/", "replacesPolicy": "Deploy-MDFC-Config", @@ -226,12 +226,25 @@ "displayName": "Effect", "description": "Enable or disable the execution of the policy" } + }, + "enableTvmCheck": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } } }, "policyDefinitions": [ { "policyDefinitionReferenceId": "defenderForOssDb", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('enableAscForOssDb')]" @@ -242,6 +255,7 @@ { "policyDefinitionReferenceId": "defenderForVM", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('enableAscForServers')]" @@ -252,6 +266,7 @@ { "policyDefinitionReferenceId": "defenderForVMVulnerabilityAssessment", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b", + "definitionVersion": "4.*.*", "parameters": { "effect": { "value": "[[parameters('enableAscForServersVulnerabilityAssessments')]" @@ -265,6 +280,7 @@ { "policyDefinitionReferenceId": "defenderForSqlServerVirtualMachines", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('enableAscForSqlOnVm')]" @@ -275,6 +291,7 @@ { "policyDefinitionReferenceId": "defenderForAppServices", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('enableAscForAppServices')]" @@ -285,6 +302,7 @@ { "policyDefinitionReferenceId": "defenderForStorageAccountsV2", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('enableAscForStorage')]" @@ -295,6 +313,7 @@ { "policyDefinitionReferenceId": "defenderforContainers", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('enableAscForContainers')]" @@ -305,6 +324,7 @@ { "policyDefinitionReferenceId": "defenderforKubernetes", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5", + "definitionVersion": "4.*.*", "parameters": { "effect": { "value": "[[parameters('enableAscForContainers')]" @@ -318,6 +338,7 @@ { "policyDefinitionReferenceId": "azurePolicyForKubernetes", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7", + "definitionVersion": "4.*.*", "parameters": { "effect": { "value": "[[parameters('enableAscForContainers')]" @@ -328,6 +349,7 @@ { "policyDefinitionReferenceId": "defenderForKeyVaults", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('enableAscForKeyVault')]" @@ -338,6 +360,7 @@ { "policyDefinitionReferenceId": "defenderForArm", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('enableAscForArm')]" @@ -348,6 +371,7 @@ { "policyDefinitionReferenceId": "defenderForSqlPaas", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('enableAscForSql')]" @@ -358,6 +382,7 @@ { "policyDefinitionReferenceId": "defenderForCosmosDbs", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('enableAscForCosmosDbs')]" @@ -368,6 +393,7 @@ { "policyDefinitionReferenceId": "defenderForCspm", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/72f8cee7-2937-403d-84a1-a4e3e57f3c21", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('enableAscForCspm')]" @@ -378,6 +404,7 @@ { "policyDefinitionReferenceId": "securityEmailContact", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts", + "definitionVersion": "1.*.*", "parameters": { "emailSecurityContact": { "value": "[[parameters('emailSecurityContact')]" @@ -391,6 +418,7 @@ { "policyDefinitionReferenceId": "ascExport", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9", + "definitionVersion": "4.*.*", "parameters": { "resourceGroupName": { "value": "[[parameters('ascExportResourceGroupName')]" @@ -411,6 +439,9 @@ "policyDefinitionReferenceId": "migrateToMdeTvm", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888", "parameters": { + "effect": { + "value": "[[parameters('enableTvmCheck')]" + } }, "groupNames": [] } diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.json index fc604744c4..3cef615d12 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.json @@ -8,7 +8,7 @@ "displayName": "Configure Azure PaaS services to use private DNS zones", "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones", "metadata": { - "version": "2.3.0", + "version": "2.4.0", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -826,6 +826,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-File-Sync", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureFilePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureFilePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -839,6 +840,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Automation-Webhook", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAutomationWebhookPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAutomationWebhookPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -855,6 +857,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Automation-DSCHybrid", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAutomationDSCHybridPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAutomationDSCHybridPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -871,6 +874,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Cosmos-SQL", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", + "definitionVersion": "2.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosSQLPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosSQLPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -887,6 +891,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Cosmos-MongoDB", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", + "definitionVersion": "2.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosMongoPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosMongoPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -903,6 +908,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Cosmos-Cassandra", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", + "definitionVersion": "2.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosCassandraPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosCassandraPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -919,6 +925,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Cosmos-Gremlin", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", + "definitionVersion": "2.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosGremlinPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosGremlinPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -935,6 +942,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Cosmos-Table", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", + "definitionVersion": "2.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosTablePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosTablePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -951,6 +959,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-DataFactory", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDataFactoryPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDataFactoryPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -969,6 +978,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-DataFactory-Portal", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDataFactoryPortalPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDataFactoryPortalPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -987,6 +997,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Databricks-UI-Api", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDatabricksPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDatabricksPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1003,6 +1014,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Databricks-Browser-AuthN", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDatabricksPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDatabricksPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1019,6 +1031,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-HDInsight", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureHDInsightPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureHDInsightPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1035,6 +1048,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Migrate", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMigratePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMigratePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1048,6 +1062,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Blob", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageBlobPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageBlobPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1061,6 +1076,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Blob-Sec", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageBlobSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageBlobSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1074,6 +1090,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Queue", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageQueuePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageQueuePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1087,6 +1104,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Queue-Sec", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageQueueSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageQueueSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1100,6 +1118,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-File", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageFilePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageFilePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1113,6 +1132,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-StaticWeb", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageStaticWebPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageStaticWebPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1126,6 +1146,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-StaticWeb-Sec", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageStaticWebSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageStaticWebSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1139,6 +1160,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-DFS", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageDFSPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageDFSPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1152,6 +1174,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-DFS-Sec", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageDFSSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageDFSSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1165,6 +1188,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Synapse-SQL", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9", + "definitionVersion": "2.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseSQLPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseSQLPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1181,6 +1205,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Synapse-SQL-OnDemand", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9", + "definitionVersion": "2.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseSQLODPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseSQLODPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1197,6 +1222,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Synapse-Dev", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9", + "definitionVersion": "2.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseDevPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseDevPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1213,6 +1239,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-MediaServices-Key", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesKeyPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesKeyPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1229,6 +1256,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-MediaServices-Live", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesLivePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesLivePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1245,6 +1273,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-MediaServices-Stream", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesStreamPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesStreamPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1261,6 +1290,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Monitor", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId1": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId1'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId1, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1286,6 +1316,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Web", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureWebPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureWebPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1299,6 +1330,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Batch", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureBatchPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureBatchPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1312,6 +1344,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-App", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAppPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAppPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1325,6 +1358,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Site-Recovery", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2", + "definitionVersion": "1.*.*-preview", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAsrPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAsrPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1338,6 +1372,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-IoT", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1351,6 +1386,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-KeyVault", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureKeyVaultPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureKeyVaultPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1364,6 +1400,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-SignalR", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSignalRPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSignalRPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1377,6 +1414,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-AppServices", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAppServicesPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAppServicesPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1390,6 +1428,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-EventGridTopics", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventGridTopicsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventGridTopicsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1403,6 +1442,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-DiskAccess", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDiskAccessPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDiskAccessPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1416,6 +1456,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-CognitiveServices", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCognitiveServicesPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCognitiveServicesPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1429,6 +1470,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-IoTHubs", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotHubsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotHubsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1442,6 +1484,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-EventGridDomains", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventGridDomainsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventGridDomainsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1455,6 +1498,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-RedisCache", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureRedisCachePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureRedisCachePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1468,6 +1512,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-ACR", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAcrPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAcrPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1481,6 +1526,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-EventHubNamespace", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventHubNamespacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventHubNamespacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1494,6 +1540,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-MachineLearningWorkspace", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMachineLearningWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMachineLearningWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1510,6 +1557,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-ServiceBusNamespace", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureServiceBusNamespacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureServiceBusNamespacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1523,6 +1571,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-CognitiveSearch", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCognitiveSearchPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCognitiveSearchPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1536,6 +1585,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-BotService", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6a4e6f44-f2af-4082-9702-033c9e88b9f8", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureBotServicePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureBotServicePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1548,6 +1598,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-ManagedGrafanaWorkspace", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4c8537f8-cd1b-49ec-b704-18e82a42fd58", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureManagedGrafanaWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureManagedGrafanaWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1560,6 +1611,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-VirtualDesktopHostpool", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureVirtualDesktopHostpoolPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1575,6 +1627,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-VirtualDesktopWorkspace", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureVirtualDesktopWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1590,6 +1643,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-IoTDeviceupdate", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotDeviceupdatePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotDeviceupdatePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1602,6 +1656,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Arc", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9", + "definitionVersion": "1.*.*", "parameters":{ "privateDnsZoneIDForGuestConfiguration": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureArcGuestconfigurationPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureArcGuestconfigurationPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1620,6 +1675,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-IoTCentral", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d627d7c6-ded5-481a-8f2e-7e16b1e6faf6", + "definitionVersion": "1.*.*", "parameters":{ "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotCentralPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotCentralPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1632,6 +1688,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Table", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a", + "definitionVersion": "1.*.*", "parameters":{ "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageTablePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageTablePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1644,6 +1701,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Table-Secondary", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f", + "definitionVersion": "1.*.*", "parameters":{ "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageTableSecondaryPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageTableSecondaryPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1656,6 +1714,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Site-Recovery-Backup", "policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820", + "definitionVersion": "1.*.*-preview", "parameters":{ "privateDnsZone-Backup": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSiteRecoveryBackupPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSiteRecoveryBackupPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security_20240529.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security_20240529.json index 1d25ba58c3..4b27561c57 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security_20240529.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security_20240529.json @@ -8,7 +8,7 @@ "displayName": "Deploy SQL Database built-in SQL security configuration", "description": "Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "replacesPolicy": "Deploy-Sql-Security", @@ -86,6 +86,7 @@ { "policyDefinitionReferenceId": "SqlDbTdeDeploySqlSecurity", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f", + "definitionVersion": "2.*.*", "parameters": { "effect": { "value": "[[parameters('SqlDbTdeDeploySqlSecurityEffect')]" @@ -96,6 +97,7 @@ { "policyDefinitionReferenceId": "SqlDbSecurityAlertPoliciesDeploySqlSecurity", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]" @@ -106,6 +108,7 @@ { "policyDefinitionReferenceId": "SqlDbAuditingSettingsDeploySqlSecurity", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]" @@ -116,6 +119,7 @@ { "policyDefinitionReferenceId": "SqlDbVulnerabilityAssessmentsDeploySqlSecurity", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]" diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB.json index 5b87ebf75d..8d3406614b 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB.json @@ -8,7 +8,7 @@ "displayName": "Enforce Azure Compute Security Benchmark compliance auditing", "description": "Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Guest Configuration", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -45,24 +45,28 @@ { "policyDefinitionReferenceId": "GcIdentity", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e", + "definitionVersion": "4.*.*", "parameters": {}, "groupNames": [] }, { "policyDefinitionReferenceId": "GcLinux", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da", + "definitionVersion": "3.*.*", "parameters": {}, "groupNames": [] }, { "policyDefinitionReferenceId": "GcWindows", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6", + "definitionVersion": "1.*.*", "parameters": {}, "groupNames": [] }, { "policyDefinitionReferenceId": "WinAcsb", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc", + "definitionVersion": "2.*.*", "parameters": { "effect": { "value": "[[parameters('effect')]" @@ -76,6 +80,7 @@ { "policyDefinitionReferenceId": "LinAcsb", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd", + "definitionVersion": "2.*.*", "parameters": { "effect": { "value": "[[parameters('effect')]" diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json index a2eaa786d5..536bda1e22 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json @@ -8,7 +8,7 @@ "displayName": "Enforce policies in the Decommissioned Landing Zone", "description": "Enforce policies in the Decommissioned Landing Zone.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Decommissioned", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -32,6 +32,7 @@ { "policyDefinitionReferenceId": "DecomDenyResources", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c", + "definitionVersion": "1.*.*", "parameters": { "listOfResourceTypesAllowed": { "value": "[[parameters('listOfResourceTypesAllowed')]" @@ -42,6 +43,7 @@ { "policyDefinitionReferenceId": "DecomShutdownMachines", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown", + "definitionVersion": "1.*.*", "parameters": {}, "groupNames": [] } diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox.json index 93b5098aad..56df9b97ac 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox.json @@ -8,7 +8,7 @@ "displayName": "Enforce policies in the Sandbox Landing Zone", "description": "Enforce policies in the Sandbox Landing Zone.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Sandbox", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -58,6 +58,7 @@ { "policyDefinitionReferenceId": "SandboxNotAllowed", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", + "definitionVersion": "2.*.*", "parameters": { "effect": { "value": "[[parameters('effectNotAllowedResources')]" @@ -71,6 +72,7 @@ { "policyDefinitionReferenceId": "SandboxDenyVnetPeering", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('effectDenyVnetPeering')]" diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Backup.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Backup.json index 172ccc7467..3c4c40a709 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Backup.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Backup.json @@ -8,7 +8,7 @@ "displayName": "Enforce enhanced recovery and backup policies", "description": "Enforce enhanced recovery and backup policies on assigned scopes.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Backup", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -60,6 +60,7 @@ { "policyDefinitionReferenceId": "BackupBVault-Immutability", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2514263b-bc0d-4b06-ac3e-f262c0979018", + "definitionVersion": "1.*.*-preview", "parameters": { "effect": { "value": "[[parameters('effect')]" @@ -73,6 +74,7 @@ { "policyDefinitionReferenceId": "BackupRVault-Immutability", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6f6f560-14b7-49a4-9fc8-d2c3a9807868", + "definitionVersion": "1.*.*-preview", "parameters": { "effect": { "value": "[[parameters('effect')]" @@ -86,6 +88,7 @@ { "policyDefinitionReferenceId": "BackupBVault-SoftDelete", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9798d31d-6028-4dee-8643-46102185c016", + "definitionVersion": "1.*.*-preview", "parameters": { "effect": { "value": "[[parameters('effect')]" @@ -99,6 +102,7 @@ { "policyDefinitionReferenceId": "BackupRVault-SoftDelete", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/31b8092a-36b8-434b-9af7-5ec844364148", + "definitionVersion": "1.*.*-preview", "parameters": { "effect": { "value": "[[parameters('effect')]" @@ -112,6 +116,7 @@ { "policyDefinitionReferenceId": "BackupBVault-MUA", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c58e083e-7982-4e24-afdc-be14d312389e", + "definitionVersion": "1.*.*-preview", "parameters": { "effect": { "value": "[[parameters('effect')]" @@ -122,6 +127,7 @@ { "policyDefinitionReferenceId": "BackupRVault-MUA", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c7031eab-0fc0-4cd9-acd0-4497bd66d91a", + "definitionVersion": "1.*.*-preview", "parameters": { "effect": { "value": "[[parameters('effect')]" diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json index b25cb45075..e9a9a8af65 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json @@ -8,7 +8,7 @@ "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. ", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Encryption", "source": "https://github.com/Azure/Enterprise-Scale/", "replacesPolicy": "Enforce-EncryptTransit", @@ -519,6 +519,7 @@ { "policyDefinitionReferenceId": "AppServiceHttpEffect", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('AppServiceHttpEffect')]" @@ -529,6 +530,7 @@ { "policyDefinitionReferenceId": "AppServiceminTlsVersion", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('AppServiceTlsVersionEffect')]" @@ -542,6 +544,7 @@ { "policyDefinitionReferenceId": "FunctionLatestTlsEffect", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", + "definitionVersion": "2.*.*", "parameters": { "effect": { "value": "[[parameters('FunctionLatestTlsEffect')]" @@ -552,6 +555,7 @@ { "policyDefinitionReferenceId": "WebAppServiceLatestTlsEffect", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", + "definitionVersion": "2.*.*", "parameters": { "effect": { "value": "[[parameters('WebAppServiceLatestTlsEffect')]" @@ -562,6 +566,7 @@ { "policyDefinitionReferenceId": "APIAppServiceHttpsEffect", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('APIAppServiceHttpsEffect')]" @@ -572,6 +577,7 @@ { "policyDefinitionReferenceId": "FunctionServiceHttpsEffect", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('FunctionServiceHttpsEffect')]" @@ -582,6 +588,7 @@ { "policyDefinitionReferenceId": "WebAppServiceHttpsEffect", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('WebAppServiceHttpsEffect')]" @@ -592,6 +599,7 @@ { "policyDefinitionReferenceId": "AKSIngressHttpsOnlyEffect", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "definitionVersion": "8.*.*", "parameters": { "effect": { "value": "[[parameters('AKSIngressHttpsOnlyEffect')]" @@ -602,6 +610,7 @@ { "policyDefinitionReferenceId": "MySQLEnableSSLDeployEffect", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('MySQLEnableSSLDeployEffect')]" @@ -615,6 +624,7 @@ { "policyDefinitionReferenceId": "MySQLEnableSSLEffect", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('MySQLEnableSSLEffect')]" @@ -628,6 +638,7 @@ { "policyDefinitionReferenceId": "PostgreSQLEnableSSLDeployEffect", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('PostgreSQLEnableSSLDeployEffect')]" @@ -641,6 +652,7 @@ { "policyDefinitionReferenceId": "PostgreSQLEnableSSLEffect", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('PostgreSQLEnableSSLEffect')]" @@ -654,6 +666,7 @@ { "policyDefinitionReferenceId": "RedisTLSDeployEffect", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('RedisTLSDeployEffect')]" @@ -667,6 +680,7 @@ { "policyDefinitionReferenceId": "RedisdisableNonSslPort", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('RedisTLSDeployEffect')]" @@ -677,6 +691,7 @@ { "policyDefinitionReferenceId": "RedisDenyhttps", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('RedisTLSEffect')]" @@ -690,6 +705,7 @@ { "policyDefinitionReferenceId": "SQLManagedInstanceTLSDeployEffect", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('SQLManagedInstanceTLSDeployEffect')]" @@ -703,6 +719,7 @@ { "policyDefinitionReferenceId": "SQLManagedInstanceTLSEffect", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('SQLManagedInstanceTLSEffect')]" @@ -716,6 +733,7 @@ { "policyDefinitionReferenceId": "SQLServerTLSDeployEffect", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('SQLServerTLSDeployEffect')]" @@ -729,6 +747,7 @@ { "policyDefinitionReferenceId": "SQLServerTLSEffect", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('SQLServerTLSEffect')]" @@ -742,6 +761,7 @@ { "policyDefinitionReferenceId": "StorageDeployHttpsEnabledEffect", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('StorageDeployHttpsEnabledEffect')]" @@ -755,6 +775,7 @@ { "policyDefinitionReferenceId": "ContainerAppsHttpsOnlyEffect", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('ContainerAppsHttpsOnlyEffect')]" @@ -765,6 +786,7 @@ { "policyDefinitionReferenceId": "Dine-FunctionApp-Tls", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -775,6 +797,7 @@ { "policyDefinitionReferenceId": "Deploy-LogicApp-TLS", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -785,6 +808,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https", "policyDefinitionReferenceId": "Deny-LogicApp-Without-Https", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -795,6 +819,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063", "policyDefinitionReferenceId": "Dine-Function-Apps-Slots-Tls", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -805,6 +830,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d", "policyDefinitionReferenceId": "Dine-AppService-Apps-Tls", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -815,6 +841,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d", "policyDefinitionReferenceId": "Deny-AppService-Apps-Https", + "definitionVersion": "4.*.*", "groupNames": [], "parameters": { "effect": { @@ -825,6 +852,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50", "policyDefinitionReferenceId": "Deny-AppService-Tls", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -835,6 +863,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df", "policyDefinitionReferenceId": "DINE-AppService-AppSlotTls", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -845,6 +874,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71", "policyDefinitionReferenceId": "Deny-FuncAppSlots-Https", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -855,6 +885,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab", "policyDefinitionReferenceId": "Deny-FunctionApp-Https", + "definitionVersion": "5.*.*", "groupNames": [], "parameters": { "effect": { @@ -865,6 +896,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc", "policyDefinitionReferenceId": "Deny-AppService-Slots-Https", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -875,6 +907,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb", "policyDefinitionReferenceId": "Deny-ContainerApps-Https", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -885,6 +918,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS", "policyDefinitionReferenceId": "Deny-EH-minTLS", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -895,6 +929,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4", "policyDefinitionReferenceId": "Deny-Sql-Managed-Tls-Version", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -905,6 +940,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf", "policyDefinitionReferenceId": "Deny-Sql-Db-Tls", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -915,6 +951,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0", "policyDefinitionReferenceId": "Deny-Storage-Tls", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -925,6 +962,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4", "policyDefinitionReferenceId": "Deny-Synapse-Tls-Version", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.json index 537b995b24..03e5c702c1 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.json @@ -8,7 +8,7 @@ "displayName": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", "description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", "metadata": { - "version": "3.1.0", + "version": "3.2.0", "category": "Encryption", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -347,6 +347,7 @@ { "policyDefinitionReferenceId": "ACRCmkDeny", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('ACRCmkEffect')]" @@ -357,6 +358,7 @@ { "policyDefinitionReferenceId": "AksCmkDeny", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('AksCmkEffect')]" @@ -367,6 +369,7 @@ { "policyDefinitionReferenceId": "WorkspaceCMK", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('WorkspaceCMKEffect')]" @@ -377,6 +380,7 @@ { "policyDefinitionReferenceId": "CognitiveServicesCMK", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d", + "definitionVersion": "2.*.*", "parameters": { "effect": { "value": "[[parameters('CognitiveServicesCMKEffect')]" @@ -387,6 +391,7 @@ { "policyDefinitionReferenceId": "CosmosCMKEffect", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('CosmosCMKEffect')]" @@ -397,6 +402,7 @@ { "policyDefinitionReferenceId": "DataBoxCMKEffect", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('DataBoxCMKEffect')]" @@ -407,6 +413,7 @@ { "policyDefinitionReferenceId": "StreamAnalyticsCMKEffect", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('StreamAnalyticsCMKEffect')]" @@ -417,6 +424,7 @@ { "policyDefinitionReferenceId": "SynapseWorkspaceCMKEffect", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('SynapseWorkspaceCMKEffect')]" @@ -427,6 +435,7 @@ { "policyDefinitionReferenceId": "StorageCMKEffect", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('StorageCMKEffect')]" @@ -437,6 +446,7 @@ { "policyDefinitionReferenceId": "MySQLCMKEffect", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('MySQLCMKEffect')]" @@ -447,6 +457,7 @@ { "policyDefinitionReferenceId": "PostgreSQLCMKEffect", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('PostgreSQLCMKEffect')]" @@ -457,6 +468,7 @@ { "policyDefinitionReferenceId": "SqlServerTDECMKEffect", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8", + "definitionVersion": "2.*.*", "parameters": { "effect": { "value": "[[parameters('SqlServerTDECMKEffect')]" @@ -467,6 +479,7 @@ { "policyDefinitionReferenceId": "HealthcareAPIsCMKEffect", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('HealthcareAPIsCMKEffect')]" @@ -477,6 +490,7 @@ { "policyDefinitionReferenceId": "AzureBatchCMKEffect", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('AzureBatchCMKEffect')]" @@ -487,6 +501,7 @@ { "policyDefinitionReferenceId": "EncryptedVMDisksEffect", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d", + "definitionVersion": "2.*.*", "parameters": { "effect": { "value": "[[parameters('EncryptedVMDisksEffect')]" @@ -497,6 +512,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b", "policyDefinitionReferenceId": "Deny-Aa-Cmk", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -507,6 +523,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671", "policyDefinitionReferenceId": "Deny-Backup-Cmk", + "definitionVersion": "1.*.*-preview", "groupNames": [], "parameters": { "effect": { @@ -517,6 +534,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f", "policyDefinitionReferenceId": "Deny-CognitiveSearch-Cmk", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -527,6 +545,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0", "policyDefinitionReferenceId": "Deny-OsAndDataDisk-Cmk", + "definitionVersion": "3.*.*", "groupNames": [], "parameters": { "effect": { @@ -537,6 +556,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6", "policyDefinitionReferenceId": "Deny-ContainerInstance-Cmk", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -547,6 +567,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa", "policyDefinitionReferenceId": "Deny-ADX-Cmk", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -557,6 +578,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e", "policyDefinitionReferenceId": "Deny-Adf-Cmk", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -567,6 +589,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec", "policyDefinitionReferenceId": "Deny-EH-Cmk", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -577,6 +600,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK", "policyDefinitionReferenceId": "Deny-EH-Premium-CMK", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -587,6 +611,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a", "policyDefinitionReferenceId": "Deny-Sb-Cmk", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -597,6 +622,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2", "policyDefinitionReferenceId": "Deny-Sql-Managed-Cmk", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -607,6 +633,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688", "policyDefinitionReferenceId": "Deny-Storage-Table-Cmk", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -617,6 +644,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8", "policyDefinitionReferenceId": "Deny-Storage-Encryption-Cmk", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -627,6 +655,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef", "policyDefinitionReferenceId": "Deny-Storage-Queue-Cmk", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -637,6 +666,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/51522a96-0869-4791-82f3-981000c2c67f", "policyDefinitionReferenceId": "Deny-BotService-Cmk", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-APIM.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-APIM.json index a995c1ad8a..e868638e72 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-APIM.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-APIM.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for API Management", "description": "This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "API Management", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -121,6 +121,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249", "policyDefinitionReferenceId": "Deny-Apim-without-Kv", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -131,6 +132,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b", "policyDefinitionReferenceId": "Deny-Apim-without-Vnet", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -141,6 +143,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS", "policyDefinitionReferenceId": "Deny-APIM-TLS", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -151,6 +154,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4", "policyDefinitionReferenceId": "Deny-Apim-Protocols", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -161,6 +165,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54", "policyDefinitionReferenceId": "Deny-Apim-Authn", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -171,6 +176,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4", "policyDefinitionReferenceId": "Deny-Apim-Direct-Endpoint", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -181,6 +187,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4", "policyDefinitionReferenceId": "Deny-Apim-Cert-Validation", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -191,6 +198,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2", "policyDefinitionReferenceId": "Dine-Apim-Public-NetworkAccess", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -201,6 +209,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5", "policyDefinitionReferenceId": "Deny-Apim-Sku-Vnet", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -211,6 +220,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67", "policyDefinitionReferenceId": "Deny-Apim-Version", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -221,6 +231,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1", "policyDefinitionReferenceId": "Deny-Api-subscription-scope", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-AppServices.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-AppServices.json index d3e06a85f5..ac475138fc 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-AppServices.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-AppServices.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for App Service", "description": "This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "App Service", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -174,6 +174,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC", "policyDefinitionReferenceId": "Deny-AppService-Byoc", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -184,6 +185,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b", "policyDefinitionReferenceId": "Dine-AppService-Apps-Remote-Debugging", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -194,6 +196,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd", "policyDefinitionReferenceId": "Deny-AppService-Slots-Remote-Debugging", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -204,6 +207,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a", "policyDefinitionReferenceId": "Deny-AppService-Latest-Version", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -214,6 +218,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5", "policyDefinitionReferenceId": "Deny-AppService-Vnet-Routing", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -224,6 +229,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1", "policyDefinitionReferenceId": "Deny-AppService-Rfc", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -234,6 +240,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222", "policyDefinitionReferenceId": "Deny-AppServiceApps-Rfc", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -244,6 +251,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb", "policyDefinitionReferenceId": "DINE-FuncApp-Debugging", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -254,6 +262,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79", "policyDefinitionReferenceId": "DINE-AppService-ScmAuth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -264,6 +273,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4", "policyDefinitionReferenceId": "Deny-AppServ-Routing", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -274,6 +284,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5", "policyDefinitionReferenceId": "Deny-AppServ-FtpAuth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -284,6 +295,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5", "policyDefinitionReferenceId": "Deny-AppServ-SkuPl", + "definitionVersion": "4.*.*", "groupNames": [], "parameters": { "effect": { @@ -294,6 +306,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae", "policyDefinitionReferenceId": "DINE-AppService-LocalAuth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -304,6 +317,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b", "policyDefinitionReferenceId": "DINE-AppService-Debugging", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -314,6 +328,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b", "policyDefinitionReferenceId": "Modify-Function-Apps-Slots-Https", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -324,6 +339,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63", "policyDefinitionReferenceId": "Modify-AppService-Https", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -334,6 +350,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c", "policyDefinitionReferenceId": "Modify-Function-Apps-Slots-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -344,6 +361,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c", "policyDefinitionReferenceId": "Modify-AppService-Apps-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -354,6 +372,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee", "policyDefinitionReferenceId": "Modify-AppService-App-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.json index 3bcb0f4344..86c0db18cb 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Automation Account", "description": "This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Automation", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -74,6 +74,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc", "policyDefinitionReferenceId": "Deny-Windows-Vm-HotPatch", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -84,6 +85,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0", "policyDefinitionReferenceId": "Deny-Aa-Managed-Identity", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -94,6 +96,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700", "policyDefinitionReferenceId": "Deny-Aa-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -104,6 +107,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735", "policyDefinitionReferenceId": "Deny-Aa-Variables-Encrypt", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -114,6 +118,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81", "policyDefinitionReferenceId": "Modify-Aa-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -124,6 +129,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c", "policyDefinitionReferenceId": "Modify-Aa-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-BotService.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-BotService.json index 785daeecf8..91d7aa44fc 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-BotService.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-BotService.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Bot Service", "description": "This policy initiative is a group of policies that ensures Bot Service is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Bot Service", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -64,6 +64,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6164527b-e1ee-4882-8673-572f425f5e0a", "policyDefinitionReferenceId": "Deny-BotService-Valid-Uri", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -74,6 +75,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/52152f42-0dda-40d9-976e-abb1acdd611e", "policyDefinitionReferenceId": "Deny-BotService-Isolated-Mode", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -84,6 +86,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ffea632e-4e3a-4424-bf78-10e179bb2e1a", "policyDefinitionReferenceId": "Deny-BotService-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -94,6 +97,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ad5621d6-a877-4407-aa93-a950b428315e", "policyDefinitionReferenceId": "Audit-BotService-Private-Link", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CognitiveServices.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CognitiveServices.json index 805a08c466..872f72a090 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CognitiveServices.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CognitiveServices.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Cognitive Services", "description": "This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Cognitive Services", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -99,6 +99,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83", "policyDefinitionReferenceId": "Deny-CognitiveSearch-SKU", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -109,6 +110,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6300012e-e9a4-4649-b41f-a85f5c43be91", "policyDefinitionReferenceId": "Deny-CongitiveSearch-LocalAuth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -119,6 +121,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4eb216f2-9dba-4979-86e6-5d7e63ce3b75", "policyDefinitionReferenceId": "Modify-CogntiveSearch-LocalAuth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -129,6 +132,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9cee519f-d9c1-4fd9-9f79-24ec3449ed30", "policyDefinitionReferenceId": "Modify-CogntiveSearch-PublicEndpoint", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -139,6 +143,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c", "policyDefinitionReferenceId": "Modify-Cognitive-Services-Public-Network-Access", + "definitionVersion": "3.*.*", "groupNames": [], "parameters": { "effect": { @@ -149,6 +154,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418", "policyDefinitionReferenceId": "Deny-Cognitive-Services-Managed-Identity", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -159,6 +165,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515", "policyDefinitionReferenceId": "Deny-Cognitive-Services-Customer-Storage", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -169,6 +176,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555", "policyDefinitionReferenceId": "Modify-Cognitive-Services-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -179,6 +187,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4", "policyDefinitionReferenceId": "Aine-Cognitive-Services-Resource-Logs", + "definitionVersion": "5.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Compute.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Compute.json index 2d447658fd..5a34c0dfe2 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Compute.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Compute.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Compute", "description": "This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Compute", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -41,6 +41,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87", "policyDefinitionReferenceId": "Deny-VmAndVmss-Encryption-Host", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -51,6 +52,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816", "policyDefinitionReferenceId": "Deny-Disk-Double-Encryption", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.json index 55ab33e46a..d02647880d 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Container Apps", "description": "This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Container Apps", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -41,6 +41,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb", "policyDefinitionReferenceId": "Deny-ContainerApp-Vnet-Injection", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -51,6 +52,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7", "policyDefinitionReferenceId": "Deny-ContainerApps-Managed-Identity", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerInstance.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerInstance.json index 22357be82d..4b77267b64 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerInstance.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerInstance.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Container Instance", "description": "This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Container Instances", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -32,6 +32,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615", "policyDefinitionReferenceId": "Deny-ContainerInstance-Vnet", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerRegistry.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerRegistry.json index a21e7bdc53..be1bc75d92 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerRegistry.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerRegistry.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Container Registry", "description": "This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Container Registry", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -126,6 +126,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759", "policyDefinitionReferenceId": "Modify-ContainerRegistry-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -136,6 +137,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a9b426fe-8856-4945-8600-18c5dd1cca2a", "policyDefinitionReferenceId": "Modify-ContainerRegistry-Repo-Token", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -146,6 +148,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/42781ec6-6127-4c30-bdfa-fb423a0047d3", "policyDefinitionReferenceId": "Deny-ContainerRegistry-Arm-Audience", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -156,6 +159,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/785596ed-054f-41bc-aaec-7f3d0ba05725", "policyDefinitionReferenceId": "Modify-ContainerRegistry-Arm-Audience", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -166,6 +170,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd560fc0-3c69-498a-ae9f-aa8eb7de0e13", "policyDefinitionReferenceId": "Deny-ContainerRegistry-Sku-PrivateLink", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -176,6 +181,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897", "policyDefinitionReferenceId": "Modify-ContainerRegistry-Anonymous-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -186,6 +192,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395", "policyDefinitionReferenceId": "Deny-ContainerRegistry-Anonymous-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -196,6 +203,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/524b0254-c285-4903-bee6-bb8126cde579", "policyDefinitionReferenceId": "Deny-ContainerRegistry-Exports", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -206,6 +214,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2", "policyDefinitionReferenceId": "Deny-ContainerRegistry-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -216,6 +225,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ff05e24e-195c-447e-b322-5e90c9f9f366", "policyDefinitionReferenceId": "Deny-ContainerRegistry-Repo-Token", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -226,6 +236,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71", "policyDefinitionReferenceId": "Deny-ContainerRegistry-Unrestricted-Network-Access", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -236,6 +247,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a3701552-92ea-433e-9d17-33b7f1208fc9", "policyDefinitionReferenceId": "Modify-ContainerRegistry-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.json index 78b5883aab..b5a8990fc1 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Cosmos DB", "description": "This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Cosmos DB", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -65,6 +65,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049", "policyDefinitionReferenceId": "Modify-CosmosDb-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -75,6 +76,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656", "policyDefinitionReferenceId": "Dine-CosmosDb-Atp", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -85,6 +87,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb", "policyDefinitionReferenceId": "Deny-CosmosDb-Fw-Rules", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -95,6 +98,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2", "policyDefinitionReferenceId": "Deny-CosmosDb-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -105,12 +109,14 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5", "policyDefinitionReferenceId": "Append-CosmosDb-Metadata", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": {} }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088", "policyDefinitionReferenceId": "Modify-CosmosDb-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataExplorer.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataExplorer.json index 63dc68ab6d..2e058c5dc3 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataExplorer.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataExplorer.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Data Explorer", "description": "This policy initiative is a group of policies that ensures Data Explorer is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Azure Data Explorer", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -58,6 +58,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1fec9658-933f-4b3e-bc95-913ed22d012b", "policyDefinitionReferenceId": "Deny-ADX-Sku-without-PL-Support", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -68,6 +69,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1", "policyDefinitionReferenceId": "Deny-ADX-Double-Encryption", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -78,6 +80,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e", "policyDefinitionReferenceId": "Deny-ADX-Encryption", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -88,6 +91,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7b32f193-cb28-4e15-9a98-b9556db0bafa", "policyDefinitionReferenceId": "Modify-ADX-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataFactory.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataFactory.json index 1e4ccb20de..139b42cbeb 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataFactory.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataFactory.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Data Factory", "description": "This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Data Factory", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -67,6 +67,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f78ccdb4-7bf4-4106-8647-270491d2978a", "policyDefinitionReferenceId": "Deny-Adf-Managed-Identity", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -77,6 +78,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/77d40665-3120-4348-b539-3192ec808307", "policyDefinitionReferenceId": "Deny-Adf-Git", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -87,6 +89,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/127ef6d7-242f-43b3-9eef-947faf1725d0", "policyDefinitionReferenceId": "Deny-Adf-Linked-Service-Key-Vault", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -97,6 +100,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0088bc63-6dee-4a9c-9d29-91cfdc848952", "policyDefinitionReferenceId": "Deny-Adf-Sql-Integration", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -107,6 +111,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08b1442b-7789-4130-8506-4f99a97226a7", "policyDefinitionReferenceId": "Modify-Adf-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventGrid.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventGrid.json index e664afc6e7..874f523183 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventGrid.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventGrid.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Event Grid", "description": "This policy initiative is a group of policies that ensures Event Grid is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Event Grid", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -90,6 +90,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2dd0e8b9-4289-4bb0-b813-1883298e9924", "policyDefinitionReferenceId": "Modify-EventGrid-Partner-Namespace-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -100,6 +101,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1", "policyDefinitionReferenceId": "Modify-EventGrid-Domain-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -110,6 +112,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae9fb87f-8a17-4428-94a4-8135d431055c", "policyDefinitionReferenceId": "Deny-EventGrid-Topic-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -120,6 +123,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c8144d9-746a-4501-b08c-093c8d29ad04", "policyDefinitionReferenceId": "Modify-EventGrid-Topic-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -130,6 +134,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8632b003-3545-4b29-85e6-b2b96773df1e", "policyDefinitionReferenceId": "Deny-EventGrid-Partner-Namespace-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -140,6 +145,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8bfadddb-ee1c-4639-8911-a38cb8e0b3bd", "policyDefinitionReferenceId": "Deny-EventGrid-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -150,6 +156,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/898e9824-104c-4965-8e0e-5197588fa5d4", "policyDefinitionReferenceId": "Modify-EventGrid-Domain-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -160,6 +167,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/36ea4b4b-0f7f-4a54-89fa-ab18f555a172", "policyDefinitionReferenceId": "Modify-EventGrid-Topic-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventHub.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventHub.json index feaf0a1baf..63e2d2d627 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventHub.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventHub.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Event Hub", "description": "This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Event Hub", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -58,6 +58,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/836cd60e-87f3-4e6a-a27c-29d687f01a4c", "policyDefinitionReferenceId": "Deny-EH-Double-Encryption", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -68,6 +69,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/57f35901-8389-40bb-ac49-3ba4f86d889d", "policyDefinitionReferenceId": "Modify-EH-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -78,6 +80,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5d4e3c65-4873-47be-94f3-6f8b953a3598", "policyDefinitionReferenceId": "Deny-EH-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -88,6 +91,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7", "policyDefinitionReferenceId": "Deny-EH-Auth-Rules", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.json index 3c68197a8e..80f674ccf5 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.json @@ -8,7 +8,7 @@ "displayName": "Enforce additional recommended guardrails for Key Vault", "description": "This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Key Vault", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -39,6 +39,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456", "policyDefinitionReferenceId": "Modify-KV-PublicNetworkAccess", + "definitionVersion": "2.*.*-preview", "groupNames": [], "parameters": { "effect": { @@ -49,6 +50,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc", "policyDefinitionReferenceId": "Modify-KV-Fw", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Kubernetes.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Kubernetes.json index 08a03e892d..c1617dbb00 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Kubernetes.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Kubernetes.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Kubernetes", "description": "This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Kubernetes", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -181,6 +181,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5485eac0-7e8f-4964-998b-a44f4f0c1e75", "policyDefinitionReferenceId": "Deny-Aks-Windows-Container-Administrator", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -191,6 +192,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8", "policyDefinitionReferenceId": "Deny-Aks-Shared-Host-Process-Namespace", + "definitionVersion": "5.*.*", "groupNames": [], "parameters": { "effect": { @@ -201,6 +203,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/65280eef-c8b4-425e-9aec-af55e55bf581", "policyDefinitionReferenceId": "Deny-Aks-Naked-Pods", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -211,6 +214,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373", "policyDefinitionReferenceId": "Deny-Aks-Default-Namespace", + "definitionVersion": "4.*.*", "groupNames": [], "parameters": { "effect": { @@ -221,6 +225,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e", "policyDefinitionReferenceId": "Deny-Aks-Internal-Lb", + "definitionVersion": "8.*.*", "groupNames": [], "parameters": { "effect": { @@ -231,6 +236,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c", "policyDefinitionReferenceId": "Deny-Aks-Temp-Disk-Encryption", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -241,6 +247,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c", "policyDefinitionReferenceId": "Deny-Aks-Allowed-Capabilities", + "definitionVersion": "6.*.*", "groupNames": [], "parameters": { "effect": { @@ -251,6 +258,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99", "policyDefinitionReferenceId": "Deny-Aks-Priv-Escalation", + "definitionVersion": "7.*.*", "groupNames": [], "parameters": { "effect": { @@ -261,6 +269,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4", "policyDefinitionReferenceId": "Deny-Aks-Priv-Containers", + "definitionVersion": "9.*.*", "groupNames": [], "parameters": { "effect": { @@ -271,6 +280,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b1a9997f-2883-4f12-bdff-2280f99b5915", "policyDefinitionReferenceId": "Deny-Aks-ReadinessOrLiveness-Probes", + "definitionVersion": "3.*.*", "groupNames": [], "parameters": { "effect": { @@ -281,6 +291,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b708b0a-3380-40e9-8b79-821f9fa224cc", "policyDefinitionReferenceId": "Dine-Aks-Command-Invoke", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -291,6 +302,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7", "policyDefinitionReferenceId": "Dine-Aks-Policy", + "definitionVersion": "4.*.*", "groupNames": [], "parameters": { "effect": { @@ -301,6 +313,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8", "policyDefinitionReferenceId": "Deny-Aks-Private-Cluster", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -311,6 +324,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32", "policyDefinitionReferenceId": "Deny-Aks-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -321,6 +335,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dbbdc317-9734-4dd8-9074-993b29c69008", "policyDefinitionReferenceId": "Deny-Aks-Kms", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -331,6 +346,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/46238e2f-3f6f-4589-9f3f-77bed4116e67", "policyDefinitionReferenceId": "Deny-Aks-Cni", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MachineLearning.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MachineLearning.json index 964a8191a3..b0ea706aa0 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MachineLearning.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MachineLearning.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Machine Learning", "description": "This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Machine Learning", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -139,6 +139,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2", "policyDefinitionReferenceId": "Deny-ML-Outdated-Os", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effects": { @@ -149,6 +150,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f", "policyDefinitionReferenceId": "Deny-ML-Local-Auth", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -159,6 +161,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6f9a2d0-cff7-4855-83ad-4cd750666512", "policyDefinitionReferenceId": "Modify-ML-Local-Auth", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -169,6 +172,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f0c7d88-c7de-45b8-ac49-db49e72eaa78", "policyDefinitionReferenceId": "Deny-ML-User-Assigned-Identity", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -179,6 +183,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a10ee784-7409-4941-b091-663697637c0f", "policyDefinitionReferenceId": "Modify-ML-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -189,6 +194,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/679ddf89-ab8f-48a5-9029-e76054077449", "policyDefinitionReferenceId": "Deny-ML-Idle-Shutdown", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -199,6 +205,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7804b5c7-01dc-4723-969b-ae300cc07ff1", "policyDefinitionReferenceId": "Audit-ML-Virtual-Network", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -209,6 +216,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e413671a-dd10-4cc1-a943-45b598596cb7", "policyDefinitionReferenceId": "Deny-ML-Legacy-Mode", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -219,6 +227,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/45e05259-1eb5-4f70-9574-baf73e9d219b", "policyDefinitionReferenceId": "Audit-ML-Private-Link", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -229,6 +238,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/afe0c3be-ba3b-4544-ba52-0c99672a8ad6", "policyDefinitionReferenceId": "Aine-ML-Resource-Logs", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -239,6 +249,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/19539b54-c61e-4196-9a38-67598701be90", "policyDefinitionReferenceId": "Deny-ML-Allowed-Registry-Deploy", + "definitionVersion": "1.*.*-preview", "groupNames": [], "parameters": { "effect": { @@ -249,6 +260,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/53c70b02-63dd-11ea-bc55-0242ac130003", "policyDefinitionReferenceId": "Deny-ML-Allowed-Module", + "definitionVersion": "6.*.*-preview", "groupNames": [], "parameters": { "effect": { @@ -259,6 +271,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/77eeea86-7e81-4a7d-9067-de844d096752", "policyDefinitionReferenceId": "Deny-ML-Allowed-Python", + "definitionVersion": "5.*.*-preview", "groupNames": [], "parameters": { "effect": { @@ -269,6 +282,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5853517a-63de-11ea-bc55-0242ac130003", "policyDefinitionReferenceId": "Deny-ML-Allowed-Registries", + "definitionVersion": "6.*.*-preview", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.json index ce2b30161f..9a6d495303 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for MySQL", "description": "This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "MySQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -40,6 +40,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816", "policyDefinitionReferenceId": "Dine-MySql-Adv-Threat-Protection", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -50,6 +51,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4", "policyDefinitionReferenceId": "Deny-MySql-Infra-Encryption", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json index bec7c6d07e..759150d4a8 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Network and Networking services", "description": "This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -267,12 +267,14 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010", "policyDefinitionReferenceId": "Deny-Nsg-GW-subnet", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": {} }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7", "policyDefinitionReferenceId": "Deny-VPN-AzureAD", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -283,6 +285,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c", "policyDefinitionReferenceId": "Deny-Waf-Afd-Enabled", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -293,6 +296,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a", "policyDefinitionReferenceId": "Deny-Waf-IDPS", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -303,6 +307,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5", "policyDefinitionReferenceId": "Deny-FW-AllIDPSS", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -313,6 +318,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50", "policyDefinitionReferenceId": "Deny-FW-EmpIDPSBypass", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -323,6 +329,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17", "policyDefinitionReferenceId": "Deny-FW-TLS-Inspection", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -333,6 +340,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596", "policyDefinitionReferenceId": "Deny-FW-TLS-AllApp", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -343,6 +351,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096", "policyDefinitionReferenceId": "Deny-Waf-AppGw-mode", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -356,6 +365,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d", "policyDefinitionReferenceId": "Deny-Waf-Fw-rules", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -366,6 +376,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8", "policyDefinitionReferenceId": "Deny-Waf-mode", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -379,6 +390,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", "policyDefinitionReferenceId": "Modify-vNet-DDoS", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -392,18 +404,21 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900", "policyDefinitionReferenceId": "Deny-Ip-Forwarding", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": {} }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114", "policyDefinitionReferenceId": "Deny-vNic-Pip", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": {} }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66", "policyDefinitionReferenceId": "Deny-AppGw-Without-Waf", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -414,6 +429,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr", "policyDefinitionReferenceId": "Deny-Subnet-Without-Udr", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -424,6 +440,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", "policyDefinitionReferenceId": "Deny-Subnet-Without-NSG", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -434,6 +451,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints", "policyDefinitionReferenceId": "Deny-Subnet-with-Service-Endpoints", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -444,6 +462,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet", "policyDefinitionReferenceId": "Deny-Mgmt-From-Internet", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -457,6 +476,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls", "policyDefinitionReferenceId": "Deny-AppGw-Without-Tls", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -467,6 +487,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR", "policyDefinitionReferenceId": "Modify-Udr", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -486,6 +507,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG", "policyDefinitionReferenceId": "Modify-Nsg", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-OpenAI.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-OpenAI.json index 6292ccc452..5e4a1a811b 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-OpenAI.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-OpenAI.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Open AI (Cognitive Service)", "description": "This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Cognitive Services", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -117,6 +117,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess", "policyDefinitionReferenceId": "Deny-OpenAi-OutboundNetworkAccess", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -127,6 +128,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls", "policyDefinitionReferenceId": "Deny-OpenAi-NetworkAcls", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -137,6 +139,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418", "policyDefinitionReferenceId": "Deny-Cognitive-Services-Managed-Identity", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -147,6 +150,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc", "policyDefinitionReferenceId": "Deny-Cognitive-Services-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -157,6 +161,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515", "policyDefinitionReferenceId": "Deny-Cognitive-Services-Cust-Storage", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -167,6 +172,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555", "policyDefinitionReferenceId": "Modify-Cognitive-Services-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -177,6 +183,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3", "policyDefinitionReferenceId": "Deny-AzureAI-Network-Access", + "definitionVersion": "3.*.*", "groupNames": [], "parameters": { "effect": { @@ -187,6 +194,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6759c02-b87f-42b7-892e-71b3f471d782", "policyDefinitionReferenceId": "Audit-AzureAI-Private-Link", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -197,6 +205,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d45520cb-31ca-44ba-8da2-fcf914608544", "policyDefinitionReferenceId": "Dine-AzureAI-Local-Key", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -207,6 +216,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55eff01b-f2bd-4c32-9203-db285f709d30", "policyDefinitionReferenceId": "Dine-AzureAI-Local-Key2", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -217,6 +227,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b4d1c4e-934c-4703-944c-27c82c06bebb", "policyDefinitionReferenceId": "Aine-AzureAI-Diag-Settings", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-PostgreSQL.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-PostgreSQL.json index 484292f11d..8c12837c6c 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-PostgreSQL.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-PostgreSQL.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for PostgreSQL", "description": "This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "PostgreSQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -31,6 +31,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3", "policyDefinitionReferenceId": "Dine-PostgreSql-Adv-Threat-Protection", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-SQL.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-SQL.json index 5fb82b190f..eb60f036e0 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-SQL.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-SQL.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for SQL and SQL Managed Instance", "description": "This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -57,6 +57,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd", "policyDefinitionReferenceId": "Dine-Sql-Managed-Defender", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -67,6 +68,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027", "policyDefinitionReferenceId": "Deny-Sql-Aad-Only", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -77,6 +79,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f", "policyDefinitionReferenceId": "Deny-Sql-Managed-Aad-Only", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -87,12 +90,14 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6", "policyDefinitionReferenceId": "Dine-Sql-Adv-Data", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": {} }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b", "policyDefinitionReferenceId": "Modify-Sql-PublicNetworkAccess", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ServiceBus.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ServiceBus.json index 79b30ef808..2e4e849e38 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ServiceBus.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ServiceBus.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Service Bus", "description": "This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Service Bus", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -58,6 +58,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee", "policyDefinitionReferenceId": "Deny-Sb-Authz-Rules", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -68,6 +69,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebaf4f25-a4e8-415f-86a8-42d9155bef0b", "policyDefinitionReferenceId": "Deny-Sb-Encryption", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -78,6 +80,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cfb11c26-f069-4c14-8e36-56c394dae5af", "policyDefinitionReferenceId": "Deny-Sb-LocalAuth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -88,6 +91,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e", "policyDefinitionReferenceId": "Modify-Sb-LocalAuth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.json index c5abdeee28..a50e26bfbe 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Storage Account", "description": "This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Storage", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -231,6 +231,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope", "policyDefinitionReferenceId": "Deny-Storage-CopyScope", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -244,6 +245,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption", "policyDefinitionReferenceId": "Deny-Storage-ServicesEncryption", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -254,6 +256,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser", "policyDefinitionReferenceId": "Deny-Storage-LocalUser", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -264,6 +267,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP", "policyDefinitionReferenceId": "Deny-Storage-SFTP", + "groupNames": [], "parameters": { "effect": { @@ -274,6 +278,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass", "policyDefinitionReferenceId": "Deny-Storage-NetworkAclsBypass", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -287,6 +292,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId", "policyDefinitionReferenceId": "Deny-Storage-ResourceAccessRulesTenantId", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -297,6 +303,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId", "policyDefinitionReferenceId": "Deny-Storage-ResourceAccessRulesResourceId", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -307,6 +314,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules", "policyDefinitionReferenceId": "Deny-Storage-NetworkAclsVirtualNetworkRules", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -317,6 +325,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy", "policyDefinitionReferenceId": "Deny-Storage-ContainerDeleteRetentionPolicy", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -330,6 +339,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules", "policyDefinitionReferenceId": "Deny-Storage-CorsRules", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -340,6 +350,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d", "policyDefinitionReferenceId": "Deny-Storage-Account-Encryption", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -350,6 +361,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312", "policyDefinitionReferenceId": "Deny-Storage-Cross-Tenant", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -360,6 +372,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54", "policyDefinitionReferenceId": "Deny-Storage-Shared-Key", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -370,6 +383,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a", "policyDefinitionReferenceId": "Deny-Storage-Infra-Encryption", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -380,6 +394,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606", "policyDefinitionReferenceId": "Deny-Storage-Classic", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -390,6 +405,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c", "policyDefinitionReferenceId": "Dine-Storage-Threat-Protection", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -400,6 +416,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c", "policyDefinitionReferenceId": "Deny-Storage-Restrict-NetworkRules", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -410,6 +427,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f", "policyDefinitionReferenceId": "Deny-Storage-NetworkRules", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -420,6 +438,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537", "policyDefinitionReferenceId": "Deny-Storage-Account-Keys-Expire", + "definitionVersion": "3.*.*", "groupNames": [], "parameters": { "effect": { @@ -430,6 +449,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b", "policyDefinitionReferenceId": "Modify-Storage-FileSync-PublicEndpoint", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -440,6 +460,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b", "policyDefinitionReferenceId": "Modify-Blob-Storage-Account-PublicEndpoint", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -450,6 +471,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d", "policyDefinitionReferenceId": "Modify-Storage-Account-PublicEndpoint", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Synapse.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Synapse.json index a0b73748a5..d47fcaa61c 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Synapse.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Synapse.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Synapse workspaces", "description": "This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Synapse", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -105,6 +105,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6", "policyDefinitionReferenceId": "Dine-Synapse-Defender", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -115,6 +116,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3624673-d2ff-48e0-b28c-5de1c6767c3c", "policyDefinitionReferenceId": "Modify-Synapse-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -125,6 +127,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/56fd377d-098c-4f02-8406-81eb055902b8", "policyDefinitionReferenceId": "Deny-Synapse-Fw-Rules", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -135,6 +138,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0", "policyDefinitionReferenceId": "Deny-Synapse-Tenant-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -148,6 +152,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218", "policyDefinitionReferenceId": "Deny-Synapse-Data-Traffic", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -158,6 +163,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650", "policyDefinitionReferenceId": "Deny-Synapse-Managed-Vnet", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -168,6 +174,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8", "policyDefinitionReferenceId": "Deny-Synapse-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -178,6 +185,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8b5c654c-fb07-471b-aa8f-15fea733f140", "policyDefinitionReferenceId": "Modify-Synapse-Tls-Version", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -188,6 +196,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a", "policyDefinitionReferenceId": "Modify-Synapse-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-VirtualDesktop.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-VirtualDesktop.json index 33564dda5f..2d64b91b18 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-VirtualDesktop.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-VirtualDesktop.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Virtual Desktop", "description": "This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Desktop Virtualization", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -39,6 +39,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ce6ebf1d-0b94-4df9-9257-d8cacc238b4f", "policyDefinitionReferenceId": "Modify-Workspace-PublicNetworkAccess", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -49,6 +50,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a0913ff-51e7-47b8-97bb-ea17127f7c8d", "policyDefinitionReferenceId": "Modify-Hostpool-PublicNetworkAccess", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { From 1bd79542d5d5a649c159f7dcdb6bda19fed564ee Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 10 Jan 2025 09:46:35 +0400 Subject: [PATCH 10/18] AVNM (#1803) --- docs/wiki/ALZ-Policies.md | 4 +- docs/wiki/Whats-new.md | 4 + eslzArm/eslz-portal.json | 10 +- eslzArm/eslzArm.json | 275 ++-- .../prerequisites/deployPrerequisites.json | 255 ++++ .../avnmConfiguration.json | 706 +++++++++ eslzArm/subscriptionTemplates/avnmPolicy.json | 1308 +++++++++++++++++ 7 files changed, 2468 insertions(+), 94 deletions(-) create mode 100644 eslzArm/prerequisites/deployPrerequisites.json create mode 100644 eslzArm/subscriptionTemplates/avnmConfiguration.json create mode 100644 eslzArm/subscriptionTemplates/avnmPolicy.json diff --git a/docs/wiki/ALZ-Policies.md b/docs/wiki/ALZ-Policies.md index 6dab86f385..dcafc15100 100644 --- a/docs/wiki/ALZ-Policies.md +++ b/docs/wiki/ALZ-Policies.md @@ -114,7 +114,7 @@ This management group contains all the platform child management groups, like ma | Assignment Name | Definition Name | Policy Type | Description | Effect(s) | | -------------------------------------------------------------------------- | -------------------------------------------------------------------------- | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | | **Enforce recommended guardrails for Azure Key Vault** | **Enforce recommended guardrails for Azure Key Vault** | `Policy Definition Set`, **Custom** | This policy initiative enforces minimum guardrails for Azure Key Vault:
  • Key vaults should have soft delete enabled (Deny)
  • Key vaults should have purge protection enabled (Deny)
  • Key Vault secrets should have an expiration date (Audit)
  • Key Vault keys should have an expiration date (Audit)
  • Azure Key Vault should have firewall enabled (Audit)
  • Certificates should have the specified lifetime action triggers (Audit)
  • Keys should have more than the specified number of days before expiration (Audit < 90 days)
  • Secrets should have more than the specified number of days before expiration (Audit < 90 days)
| Audit, Deny | -| **Enforce enhanced recovery and backup policies** | **Enforce enhanced recovery and backup policies** | `Policy Definition Set`, **Custom** | This policy initiative enforces minimum guardrails for Azure Key Vault:
  • Immutability must be enabled for backup vaults
  • Immutability must be enabled for Recovery Services vaults
  • Soft delete should be enabled for Backup Vaults
  • Multi-User Authorization (MUA) must be enabled for Backup Vaults
  • Multi-User Authorization (MUA) must be enabled for Recovery Services Vaults
| Audit | +| **Enforce enhanced recovery and backup policies** | **Enforce enhanced recovery and backup policies** | `Policy Definition Set`, **Custom** | This policy initiative enforces minimum guardrails for Recovery Services Vaults:
  • Immutability must be enabled for backup vaults
  • Immutability must be enabled for Recovery Services vaults
  • Soft delete should be enabled for Backup Vaults
  • Multi-User Authorization (MUA) must be enabled for Backup Vaults
  • Multi-User Authorization (MUA) must be enabled for Recovery Services Vaults
| Audit | | **Enable Azure Monitor for VMs**\* | **Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA)** | `Policy Definition Set`, **Built-in** | This policy initiative installs the Azure Monitoring Agent (AMA) on the virtual machines (VMs) and enables Azure Monitor for them. Azure Monitor collects and analyzes data from the VMs, such as performance metrics, logs, and dependencies. | DeployIfNotExists, Disabled | | **Enable Azure Monitor for Virtual Machine Scale Sets**\* | **Enable Azure Monitor for VMSS with Azure Monitoring Agent(AMA)** | `Policy Definition Set`, **Built-in** | This policy initiative installs the Azure Monitoring Agent (AMA) on the virtual machines scale sets (VMSS) and enables Azure Monitor for them. Azure Monitor collects and analyzes data from the VMs, such as performance metrics, logs, and dependencies. | DeployIfNotExists, Disabled | | **Enable Azure Monitor for Hybrid Virtual Machines**\* | **Enable Azure Monitor for Hybrid VMs with AMA** | `Policy Definition Set`, **Built-in** | This policy initiative installs the Azure Monitoring Agent (AMA) on Arc-enabled servers (Hybrid) and enables Azure Monitor for them. Azure Monitor collects and analyzes data from the VMs, such as performance metrics, logs, and dependencies. | DeployIfNotExists, Disabled | @@ -235,7 +235,7 @@ The table below provides the specific **Custom** and **Built-in** **policy defin | ------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ | | **Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit** | **Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit** | `Policy Definition Set`, **Custom** | Description TBC | Audit, AuditIfNotExists, DeployIfNotExists, Deny | | **Enforce recommended guardrails for Azure Key Vault** | **Enforce recommended guardrails for Azure Key Vault** | `Policy Definition Set`, **Custom** | This policy initiative enforces minimum guardrails for Azure Key Vault:
  • Key vaults should have soft delete enabled (Deny)
  • Key vaults should have purge protection enabled (Deny)
  • Key Vault secrets should have an expiration date (Audit)
  • Key Vault keys should have an expiration date (Audit)
  • Azure Key Vault should have firewall enabled (Audit)
  • Certificates should have the specified lifetime action triggers (Audit)
  • Keys should have more than the specified number of days before expiration (Audit < 90 days)
  • Secrets should have more than the specified number of days before expiration (Audit < 90 days)
| Audit, Deny | -| **Enforce enhanced recovery and backup policies** | **Enforce enhanced recovery and backup policies** | `Policy Definition Set`, **Custom** | This policy initiative enforces minimum guardrails for Azure Key Vault:
  • Immutability must be enabled for backup vaults
  • Immutability must be enabled for Recovery Services vaults
  • Soft delete should be enabled for Backup Vaults
  • Multi-User Authorization (MUA) must be enabled for Backup Vaults
  • Multi-User Authorization (MUA) must be enabled for Recovery Services Vaults
| Audit | +| **Enforce enhanced recovery and backup policies** | **Enforce enhanced recovery and backup policies** | `Policy Definition Set`, **Custom** | This policy initiative enforces minimum guardrails for Recovery Services Vaults:
  • Immutability must be enabled for backup vaults
  • Immutability must be enabled for Recovery Services vaults
  • Soft delete should be enabled for Backup Vaults
  • Multi-User Authorization (MUA) must be enabled for Backup Vaults
  • Multi-User Authorization (MUA) must be enabled for Recovery Services Vaults
| Audit | | **Enforce Azure Compute Security Benchmark compliance auditing** | **Enforce Azure Compute Security Benchmark compliance auditing** | `Policy Definition Set`, **Custom** | This policy initiative enables Azure Compute Security Basline compliance auditing for Windows and Linux virtual machines. | AuditIfNotExists | | **Management port access from the Internet should be blocked** | **Management port access from the Internet should be blocked** | `Policy Definition`, **Custom** | This policy denies any network security rule that allows management port access from Internet (Default port 22, 3389). | Deny | | **Subnets should have a Network Security Group** | **Subnets should have a Network Security Group** | `Policy Definition`, **Custom** | This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level. | Deny | diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index 53ea412b13..000370585d 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -52,6 +52,10 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: ### 🔃 Policy Refresh Q2 FY25 +- [PREVIEW] Added ability to deploy Virtual Network Manager through the portal accelerator with support for Security Admin feature, including default rules blocking high-risk ports [read more](https://learn.microsoft.com/en-us/azure/virtual-network-manager/concept-security-admins). + - [Important] To support the configuration of AVNM, we've had to included a deployment script to configure the Microsoft.Network resource provider on the intermediate root management group. This deployment script and required User-Assigned Managed Identity are created in a resource group in the Management subscription. Please remove the user assigned identity in the resource group hosting the AVNM instance. + - [Important] Due to performance improvements of ARM, we've also had to change the "wait" process in the portal accelerator (waiting for Management Groups to be registered so we can do policy assignments). We are now using the same deployment script with a "Start-Sleep" PowerShell command which is far more reliable. In the management subscription, you will find a resource group `rg-alz-prereqs` that you should remove (with contents) as the identity has Contributor rights on the Intermediate Management Group. + - [Important] A deployment script and User-Assigned Managed Identity is needed in the `rg-alz-avnm` resource group in the Connectivity subscription to register the Security Admin configuration with selected deployment regions. You should delete this identity after deployment. - *Policy Versioning Support* - all initiatives and assignments have been pinned to the current major version of built-in policies or initiatives deployed by ALZ. This ensures that all ALZ deployments will successfully deploy using the currently validated versions of ALZ built-in policies and initiatives. As these get updated the team will validate changes and impact before incrementing the recommended version. - Fixed a Portal Accelerator bug that results in failed deployment when choosing not to deploy policies to the Identity management group. - Updated the display name of the many `Effect` parameters to clearly identify the policy it applies to in the initiative [Enforce recommended guardrails for Azure Key Vault](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-KeyVault.html). diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index 1bc6f1ef76..1b8a4c7e9f 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -1438,6 +1438,13 @@ }, "visible": true }, + { + "name": "deployAVNM", + "type": "Microsoft.Common.CheckBox", + "label": "Deploy Azure Virtual Network Manager - PREVIEW", + "toolTip": "If selected, Azure Virtual Network Manager will be deployed to manage your virtual networks. Currently, ALZ will only enable Security Admin Rules role by default", + "visible": "[or(equals(steps('connectivity').enableHub, 'vhub'), equals(steps('connectivity').enableHub, 'nva'))]" + }, { "name": "esNwNVANote", "type": "Microsoft.Common.InfoBox", @@ -4511,7 +4518,7 @@ } ] }, - "visible": "[and(equals(steps('identity').esIdentityConnectivity, 'Yes'), not(equals(steps('connectivity').enableHub,'No')))]" + "visible": "[and(not(equals(steps('connectivity').enableHub,'No')), equals(steps('core').deploySecondaryRegion, 'Yes'))]" }, { "name": "identityAddressPrefixSecondary", @@ -9499,6 +9506,7 @@ "erRegionalOrAz": "[steps('connectivity').erRegionalOrAz]", "expressRouteScaleUnit": "[steps('connectivity').expressRouteScaleUnit]", "enableHub": "[steps('connectivity').enableHub]", + "deployAVNM": "[steps('connectivity').deployAVNM]", "enableAzFw": "[steps('connectivity').enableAzFw]", "enableAzFwDnsProxy": "[if(equals(steps('connectivity').firewallSku, 'Basic'), 'No', steps('connectivity').enableAzFwDnsProxy)]", "firewallSku": "[steps('connectivity').firewallSku]", diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 0c3ed6760f..bf41ea57fb 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -380,6 +380,10 @@ "type": "string", "defaultValue": "[deployment().location]" }, + "deployAVNM": { + "type": "bool", + "defaultValue": false + }, "enableDdoS": { "type": "string", "defaultValue": "No", @@ -1689,6 +1693,9 @@ "roleDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/roleDefinitions/customRoleDefinitions.json')]", "policyDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyDefinitions/policies.json')]", "initiativeDefinitions": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyDefinitions/initiatives.json')]", + "preRequisites": "[uri(deployment().properties.templateLink.uri, 'prerequisites/deployPrerequisites.json')]", + "avnmConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/avnmConfiguration.json')]", + "avnmPolicy": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/avnmPolicy.json')]", "vnetConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/hubspoke-connectivity.json')]", "vwanConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/vwan-connectivity.json')]", "nvaConnectivityHub": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/nvahubspoke-connectivity.json')]", @@ -1825,6 +1832,8 @@ "atpOssDbPolicyDeploymentName": "[take(concat('alz-AtpOssDb', variables('deploymentSuffix')), 64)]", "atpSqlDbPolicyDeploymentName": "[take(concat('alz-AtpSqlDb', variables('deploymentSuffix')), 64)]", "ascGovPolicyDeploymentName": "[take(concat('alz-Gov-ASC', variables('deploymentSuffix')), 64)]", + "avnmConnectivityHubDeploymentName": "[take(concat('alz-AVNM', variables('deploymentSuffix')), 64)]", + "avnmPolicyDeploymentName": "[take(concat('alz-AVNMPolicy', variables('deploymentSuffix')), 64)]", "vnetConnectivityHubDeploymentName": "[take(concat('alz-HubSpoke', variables('deploymentSuffix')), 64)]", "vwanConnectivityHubDeploymentName": "[take(concat('alz-VWanHub', variables('deploymentSuffix')), 64)]", "vnetConnectivityHub2DeploymentName": "[take(concat('alz-HubSpoke2', variables('deploymentSuffix')), 64)]", @@ -2222,7 +2231,8 @@ "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]", + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -2327,7 +2337,8 @@ "location": "[deployment().location]", "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", "dependsOn": [ - "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]", + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -2418,29 +2429,33 @@ } }, { - // One of Azure's untold stories..... + // ALZ Pre-Requisites and Azure's Untold Story... + "condition": "[not(empty(parameters('managementSubscriptionId')))]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "[concat('preparingToLaunch', copyIndex())]", + "apiVersion": "2020-06-01", + "name": "alz-prerequisites", + "scope": "[variables('scopes').eslzRootManagementGroup]", "location": "[deployment().location]", - "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", "dependsOn": [ - "[variables('deploymentNames').initiativeDeploymentName]" + "[variables('deploymentNames').initiativeDeploymentName]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]" ], - "copy": { - "batchSize": 1, - "count": "[parameters('delayCount')]", - "mode": "Serial", - "name": "policyCompletion" - }, "properties": { "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "templateLink": { "contentVersion": "1.0.0.0", - "parameters": {}, - "resources": [], - "outputs": {} + "uri": "[variables('deploymentUris').preRequisites]" + }, + "parameters": { + "location": { + "value": "[deployment().location]" + }, + "eslzRootName": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "managementSubscriptionId": { + "value": "[parameters('managementSubscriptionId')]" + } } } }, @@ -2528,6 +2543,7 @@ } } }, + /* The following deployments will optionally configure the governance, security, and monitoring for the Azure platform and landing zones */ @@ -2541,7 +2557,7 @@ "subscriptionId": "[parameters('managementSubscriptionId')]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -2704,7 +2720,7 @@ "location": "[deployment().location]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -2809,7 +2825,7 @@ "location": "[deployment().location]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]", - "policyCompletion", + "alz-prerequisites", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]" ], @@ -2846,7 +2862,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -2893,7 +2909,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -2940,7 +2956,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -2987,7 +3003,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3034,7 +3050,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3081,7 +3097,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3128,7 +3144,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3175,7 +3191,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3222,7 +3238,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3269,7 +3285,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3316,7 +3332,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3363,7 +3379,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3410,7 +3426,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3457,7 +3473,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3504,7 +3520,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3551,7 +3567,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3598,7 +3614,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3645,7 +3661,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3692,7 +3708,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3739,7 +3755,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3789,7 +3805,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3836,7 +3852,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3883,7 +3899,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3930,7 +3946,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -3977,7 +3993,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -4024,7 +4040,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -4071,7 +4087,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').vnetConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').nvaConnectivityHubLiteDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]", - "policyCompletion", + "alz-prerequisites", "corpConnectedMoveLzs" ], "copy": { @@ -4309,7 +4325,7 @@ "scope": "[variables('scopes').eslzRootManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -4333,7 +4349,7 @@ "scope": "[variables('scopes').eslzRootManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -4357,7 +4373,7 @@ "scope": "[variables('scopes').eslzRootManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -4381,7 +4397,7 @@ "scope": "[variables('scopes').eslzRootManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -4687,7 +4703,7 @@ "scope": "[variables('scopes').eslzRootManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -4757,7 +4773,7 @@ "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -4982,7 +4998,8 @@ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", - "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').vnetConnectivityHubDeploymentName)]" ], "location": "[deployment().location]", "properties": { @@ -5175,6 +5192,82 @@ } } }, + { + // Deploy AVNM + "condition": "[and(parameters('deployAVNM'), or(equals(parameters('enableHub'), 'vhub'), equals(parameters('enableHub'), 'nva')), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "name": "[variables('deploymentNames').avnmConnectivityHubDeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').connectivitySubscriptionPlacement)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').activityDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').resourceDiagnosticsPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').asbPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ascGovPolicyDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]", + "alz-prerequisites" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').avnmConnectivityHub]" + }, + "parameters": { + "location": { + "value": "[parameters('connectivityLocation')]" + }, + "locationSecondary": { + "value": "[parameters('connectivityLocationSecondary')]" + }, + "managementGroupScope": { + "value": "[variables('scopes').eslzRootManagementGroup]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "enableSecondaryRegion": { + "value": "[parameters('enableSecondaryRegion')]" + } + } + } + }, + { + // Deploying AVNM policy - to add virtual networks to AVNM network groups + "condition": "[and(parameters('deployAVNM'), or(equals(parameters('enableHub'), 'vhub'), equals(parameters('enableHub'), 'nva')), not(empty(parameters('connectivitySubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('deploymentNames').avnmPolicyDeploymentName]", + "location": "[deployment().location]", + "scope": "[variables('scopes').eslzRootManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').avnmConnectivityHubDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').avnmPolicy]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "locationSecondary": { + "value": "[parameters('connectivityLocationSecondary')]" + }, + "enableSecondaryRegion": { + "value": "[parameters('enableSecondaryRegion')]" + } + } + } + }, { // Creating resource group for Private DNS Zones "condition": "[and(equals(parameters('enablePrivateDnsZones'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]", @@ -5672,7 +5765,7 @@ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]", "dnsZones", "dnsZonesLite", - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -5964,7 +6057,7 @@ "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -5997,7 +6090,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6360,7 +6453,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6417,7 +6510,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6441,7 +6534,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6465,7 +6558,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6489,7 +6582,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6516,7 +6609,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6540,7 +6633,7 @@ "scope": "[variables('scopes').corpManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6567,7 +6660,7 @@ "scope": "[variables('scopes').corpManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6591,7 +6684,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6617,7 +6710,7 @@ "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6643,7 +6736,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6670,7 +6763,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6694,7 +6787,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6721,7 +6814,7 @@ "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6748,7 +6841,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6775,7 +6868,7 @@ "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6802,7 +6895,7 @@ "scope": "[variables('scopes').corpManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6826,7 +6919,7 @@ "scope": "[variables('scopes').corpManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6856,7 +6949,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6880,7 +6973,7 @@ "scope": "[variables('scopes').eslzRootManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -6907,7 +7000,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -7027,7 +7120,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -7054,7 +7147,7 @@ "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -7081,7 +7174,7 @@ "scope": "[variables('scopes').decommissionedManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -7108,7 +7201,7 @@ "scope": "[variables('scopes').sandboxManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -7138,7 +7231,7 @@ "scope": "[variables('scopes').identityManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -7165,7 +7258,7 @@ "scope": "[variables('scopes').identityManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion", + "alz-prerequisites", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]" ], "properties": { @@ -7190,7 +7283,7 @@ "scope": "[variables('scopes').identityManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion", + "alz-prerequisites", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]" ], "properties": { @@ -7218,7 +7311,7 @@ "scope": "[variables('scopes').identityManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion", + "alz-prerequisites", "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').identitySubscriptionPlacement)]" ], "properties": { @@ -7715,7 +7808,7 @@ "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('esliteDeploymentNames').platformLiteSubscriptionPlacement)]", - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -7794,7 +7887,7 @@ "location": "[deployment().location]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]", - "policyCompletion" + "alz-prerequisites" ], "properties": { "mode": "Incremental", @@ -8872,7 +8965,7 @@ "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion", + "alz-prerequisites", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]" ], "properties": { @@ -8903,7 +8996,7 @@ "scope": "[variables('scopes').platformManagementGroup]", "location": "[deployment().location]", "dependsOn": [ - "policyCompletion", + "alz-prerequisites", "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').platformLiteSubscriptionPlacement)]" ], "properties": { diff --git a/eslzArm/prerequisites/deployPrerequisites.json b/eslzArm/prerequisites/deployPrerequisites.json new file mode 100644 index 0000000000..2b99f596ef --- /dev/null +++ b/eslzArm/prerequisites/deployPrerequisites.json @@ -0,0 +1,255 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceGroupName": { + "type": "string", + "defaultValue": "rg-alz-prereqs", + "metadata": { + "description": "The resource group name where the AVNM resources will be created" + } + }, + "location": { + "type": "string", + "metadata": { + "description": "The location of this AVNM instance. All resources will be deployed to this region." + } + }, + "eslzRootName": { + "type": "string", + "metadata": { + "description": "The name of the Enterprise Scale Landing Zone root resource." + } + }, + "managementSubscriptionId": { + "type": "string", + "metadata": { + "description": "The subscription ID of the management subscription." + } + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "alz-prerequisites-001", + "location": "[parameters('location')]", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "resourceGroupName": { + "value": "[parameters('resourceGroupName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "resourceGroupName": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2022-09-01", + "name": "[parameters('resourceGroupName')]", + "location": "[parameters('location')]" + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "alz-prerequisites-uai", + "resourceGroup": "[parameters('resourceGroupName')]", + "dependsOn": [ + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('resourceGroupName'))]" + ], + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2023-07-31-preview", + "name": "uai-alz-prereq", + "location": "[parameters('location')]" + } + ], + "outputs": { + "userAssignedIdentityId": { + "type": "string", + "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-alz-prereq')]" + }, + "uaiPrincipalId": { + "type": "string", + "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'uai-alz-prereq'), '2023-07-31-preview').principalId]" + } + } + } + } + } + ], + "outputs": { + "userAssignedIdentityId": { + "type": "string", + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai'), '2022-09-01').outputs.userAssignedIdentityId.value]" + }, + "uaiPrincipalId": { + "type": "string", + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'alz-prerequisites-uai'), '2022-09-01').outputs.uaiPrincipalId.value]" + } + } + + } + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(format('alz-prerequisites-{0}-{1}', parameters('eslzRootName'), parameters('location')))]", + "location": "[parameters('location')]", + "properties": { + "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "principalId": "[reference(subscriptionResourceId(parameters('managementSubscriptionId'), 'Microsoft.Resources/deployments', 'alz-prerequisites-001'), '2022-09-01').outputs.uaiPrincipalId.value]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[subscriptionResourceId(parameters('managementSubscriptionId'), 'Microsoft.Resources/deployments', 'alz-prerequisites-001')]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "alz-prerequisites-002", + "location": "[parameters('location')]", + "subscriptionId": "[parameters('managementSubscriptionId')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "alz-prereq-ds", + "resourceGroup": "[parameters('resourceGroupName')]", + "dependsOn": [], + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "eslzRootName": { + "value": "[parameters('eslzRootName')]" + }, + "managementSubscriptionId": { + "value": "[parameters('managementSubscriptionId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "eslzRootName":{ + "type": "string" + }, + "managementSubscriptionId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deploymentScripts", + "apiVersion": "2020-10-01", + "name": "alz-prereq-deploymentscript", + "location": "[parameters('location')]", + "kind": "AzurePowerShell", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[reference(subscriptionResourceId(parameters('managementSubscriptionId'), 'Microsoft.Resources/deployments', 'alz-prerequisites-001'), '2022-09-01').outputs.userAssignedIdentityId.value]": {} + } + }, + "properties": { + "azPowerShellVersion": "12.3", + "retentionInterval": "PT1H", + "timeout": "PT2H", + "arguments": "[format('-eslzRootName \"{0}\"', parameters('eslzRootName'))]", + "scriptContent": " + param( + [Parameter(Mandatory=$true, HelpMessage=\"Enter the ESLZ root name.\")] + [string] + $eslzRootName + ) + + #API call to register the Microsoft.Network provider against intermediate resource group for AVNM + Invoke-AzRestMethod -Method POST -Uri \"https://management.azure.com/providers/Microsoft.Management/managementGroups/$eslzRootName/providers/Microsoft.Network/register?api-version=2021-04-01\" + + #Register all resource providers required for ALZ + $subs = Search-AzGraph -Query \"ResourceContainers | where type =~ 'microsoft.resources/subscriptions'\" -ManagementGroup $eslzRootName + $rps = @('Microsoft.Insights','Microsoft.AlertsManagement','Microsoft.OperationalInsights','Microsoft.OperationsManagement','Microsoft.Automation','Microsoft.AlertsManagement','Microsoft.Security','Microsoft.Network','Microsoft.EventGrid','Microsoft.ManagedIdentity','Microsoft.GuestConfiguration','Microsoft.Advisor','Microsoft.PolicyInsights') + + foreach ($sub in $subs) { + Write-Host 'Registering resource providers for subscription: ' $sub.subscriptionId + Select-AzSubscription -SubscriptionId $sub.subscriptionId + Get-AzResourceProvider -ProviderNamespace $rps | where {$_.RegistrationState -ne \"Registered\"} | Register-AzResourceProvider + } + + #Sleep for 15 minutes to wait for Management Groups to load to cache before policy assignments + Start-Sleep -Duration (New-TimeSpan -Minutes 15) + " + }, + "metadata": { + "description": "Create a Deployment Script resource to perform the prerequisites." + } + } + ], + "outputs": {} + } + } + } + ] + } + }, + "dependsOn": [ + "alz-prerequisites-001", + "[guid(format('alz-prerequisites-{0}-{1}', parameters('eslzRootName'), parameters('location')))]" + ] + } + ], + "outputs": {} + } \ No newline at end of file diff --git a/eslzArm/subscriptionTemplates/avnmConfiguration.json b/eslzArm/subscriptionTemplates/avnmConfiguration.json new file mode 100644 index 0000000000..ddd431c93a --- /dev/null +++ b/eslzArm/subscriptionTemplates/avnmConfiguration.json @@ -0,0 +1,706 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "metadata": { + "displayName": "location", + "description": "Location of the HUB" + }, + "defaultValue": "[deployment().location]" + }, + "locationSecondary": { + "type": "string", + "metadata": { + "displayName": "locationSecondary", + "description": "Secondary location of the HUB for instances deploying in multiple regions" + }, + "defaultValue": "" + }, + "managementGroupScope": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Management group scope for AVNM. Intermediate root management group is the default." + } + }, + "connectivitySubscriptionId": { + "type": "string", + "metadata": { + "description": "SubscriptionId for the connectivity subscription." + }, + "defaultValue": "[subscription().subscriptionId]" + }, + "enableSecondaryRegion": { + "type": "string", + "metadata": { + "description": "Enable secondary region for instances deploying in multiple regions" + }, + "defaultValue": "no" + } + }, + "variables": { + "rgName": "rg-alz-avnm", + "resourceDeploymentName": "[take(concat(deployment().name, '-avnm', parameters('location')), 64)]", + "configIds": "[resourceId(parameters('connectivitySubscriptionId'), variables('rgName'), 'Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', 'sac-alz')]" + }, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2019-10-01", + "location": "[parameters('location')]", + "name": "[variables('rgName')]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('resourceDeploymentName')]", + "resourceGroup": "[variables('rgName')]", + "dependsOn": [ + "[concat('Microsoft.Resources/resourceGroups/', variables('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, + "managementGroupScope": { + "value": "[parameters('managementGroupScope')]" + }, + "enableSecondaryRegion": { + "value": "[parameters('enableSecondaryRegion')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "locationSecondary": { + "type": "string" + }, + "managementGroupScope": { + "type": "string" + }, + "enableSecondaryRegion": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Network/networkManagers", + "apiVersion": "2024-03-01", + "name": "avnm", + "location": "[parameters('location')]", + "properties": { + "networkManagerScopeAccesses": [ + "SecurityAdmin" + ], + "networkManagerScopes": { + "managementGroups": [ + "[parameters('managementGroupScope')]" + ] + } + }, + "dependsOn": [ + + ], + "metadata": { + "description": "This is the Azure Virtual Network Manager which will be used to implement the connected group for spoke-to-spoke connectivity." + } + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', 'avnm-ng-all')]", + "properties": { + "memberType": "VirtualNetwork", + "description": "Network Group - All Landing Zone virtual networks" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ VNETs." + } + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-{0}', parameters('location')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - {0}', parameters('location'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ VNETs in the primary region." + } + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-{0}', parameters('locationSecondary')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - {0}', parameters('locationSecondary'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ VNETs in the secondary region, if selected." + } + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-corp-{0}', parameters('location')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Corp - {0}', parameters('location'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ CORP VNETs in the primary region." + } + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-corp-{0}', parameters('locationSecondary')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Corp - {0}', parameters('locationSecondary'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ CORP VNETs in the secondary region, if selected." + } + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-online-{0}', parameters('location')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Online - {0}', parameters('location'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ ONLINE VNETs in the primary region." + } + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-online-{0}', parameters('locationSecondary')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Online - {0}', parameters('locationSecondary'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ ONLINE VNETs in the secondary region, if selected." + } + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-identity-{0}', parameters('location')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Identity - {0}', parameters('location'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ IDENTITY VNETs in the primary region." + } + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-identity-{0}', parameters('locationSecondary')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Identity - {0}', parameters('locationSecondary'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ IDENTITY VNETs in the secondary region, if selected." + } + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-management-{0}', parameters('location')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Management - {0}', parameters('location'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ MANAGEMENT VNETs in the primary region." + } + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-management-{0}', parameters('locationSecondary')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Management - {0}', parameters('locationSecondary'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ MANAGEMENT VNETs in the secondary region, if selected." + } + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-connectivity-{0}', parameters('location')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Connectivity - {0}', parameters('location'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ CONNECTIVITY VNETs in the primary region." + } + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-connectivity-{0}', parameters('locationSecondary')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Connectivity - {0}', parameters('locationSecondary'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ CONNECTIVITY VNETs in the secondary region, if selected." + } + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-sandbox-{0}', parameters('location')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Sandbox - {0}', parameters('location'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ SANDBOX VNETs in the primary region." + } + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-sandbox-{0}', parameters('locationSecondary')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Sandbox - {0}', parameters('locationSecondary'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ SANDBOX VNETs in the secondary region, if selected." + } + }, + { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-decommissioned-{0}', parameters('location')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Decommissioned - {0}', parameters('location'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ DECOMMISSIONED VNETs in the primary region." + } + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}', 'avnm', format('avnm-ng-decommissioned-{0}', parameters('locationSecondary')))]", + "properties": { + "memberType": "VirtualNetwork", + "description": "[format('Network Group - Decommissioned - {0}', parameters('locationSecondary'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "metadata": { + "description": "This is the dynamic network group for all ALZ DECOMMISSIONED VNETs in the secondary region, if selected." + } + }, + { + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations", + "apiVersion": "2023-11-01", + "name": "[format('{0}/{1}', 'avnm', 'sac-alz')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers', 'avnm')]" + ], + "properties": { + "description": "ALZ Security Admin Configuration" + } + }, + { + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}/{2}', 'avnm', 'sac-alz', 'rc-ALZ')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', 'avnm', 'sac-alz')]", + "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', 'avnm-ng-all')]" + ], + "properties": { + "appliesToGroups": [ + { + "networkGroupId": "[resourceId('Microsoft.Network/networkManagers/networkGroups', 'avnm', 'avnm-ng-all')]" + } + ] + } + }, + { + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}/{2}/{3}', 'avnm', 'sac-alz', 'rc-ALZ', 'DenyMgmtInbound')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', 'avnm', 'sac-alz', 'rc-ALZ')]" + ], + "kind": "Custom", + "properties": { + "description": "Deny VM Management inbound traffic, similar to the ALZ policy https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html", + "priority": 1000, + "sources": [ + { + "addressPrefixType": "ServiceTag", + "addressPrefix": "Internet" + } + ], + "destinationPortRanges": [ + "22", + "3389" + ], + "protocol": "Any", + "direction": "Inbound", + "access": "Deny" + } + }, + { + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}/{2}/{3}', 'avnm', 'sac-alz', 'rc-ALZ', 'DenyHighRiskInboundTCP')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', 'avnm', 'sac-alz', 'rc-ALZ')]" + ], + "kind": "Custom", + "properties": { + "description": "Deny high-risk TCP inbound traffic", + "priority": 1001, + "sources": [ + { + "addressPrefixType": "ServiceTag", + "addressPrefix": "Internet" + } + ], + "destinationPortRanges": [ + "20", + "21", + "23", + "119", + "161", + "445", + "512", + "514", + "873", + "5800", + "5900" + ], + "protocol": "TCP", + "direction": "Inbound", + "access": "Deny" + } + }, + { + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}/{2}/{3}', 'avnm', 'sac-alz', 'rc-ALZ', 'DenyHighRiskInboundUDP')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', 'avnm', 'sac-alz', 'rc-ALZ')]" + ], + "kind": "Custom", + "properties": { + "description": "Deny high-risk UDP inbound traffic", + "priority": 1002, + "sources": [ + { + "addressPrefixType": "ServiceTag", + "addressPrefix": "Internet" + } + ], + "destinationPortRanges": [ + "69", + "11211" + ], + "protocol": "UDP", + "direction": "Inbound", + "access": "Deny" + } + }, + { + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", + "apiVersion": "2024-03-01", + "name": "[format('{0}/{1}/{2}/{3}', 'avnm', 'sac-alz', 'rc-ALZ', 'DenyHighRiskInboundANY')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', 'avnm', 'sac-alz', 'rc-ALZ')]" + ], + "kind": "Custom", + "properties": { + "description": "Deny high-risk ANY inbound traffic", + "priority": 1003, + "sources": [ + { + "addressPrefixType": "ServiceTag", + "addressPrefix": "Internet" + } + ], + "destinationPortRanges": [ + "111", + "135", + "162", + "593", + "2049" + ], + "protocol": "Any", + "direction": "Inbound", + "access": "Deny" + } + } + + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "alz-avnm-uai", + "resourceGroup": "[variables('rgName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2022-01-31-preview", + "name": "[format('uai-avnm-{0}', parameters('location'))]", + "location": "[parameters('location')]", + "metadata": { + "description": "This user assigned identity is used by the Deployment Script resource to interact with Azure resources." + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(resourceGroup().id, format('uai-avnm-{0}', parameters('location')))]", + "properties": { + "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-avnm-{0}', parameters('location'))), '2022-01-31-preview').principalId]", + "principalType": "ServicePrincipal" + }, + "dependsOn": [ + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-avnm-{0}', parameters('location')))]" + ], + "metadata": { + "description": "This role assignment grants the user assigned identity the Contributor role on the resource group." + } + } + ], + "outputs": { + "userAssignedIdentityId": { + "type": "string", + "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('uai-avnm-{0}', parameters('location')))]" + } + } + } + }, + "dependsOn": [ + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', variables('rgName'))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('ds-{0}-prereqs', parameters('location'))]", + "resourceGroup": "[variables('rgName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, + "userAssignedIdentityId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, variables('rgName')), 'Microsoft.Resources/deployments', 'alz-avnm-uai'), '2022-09-01').outputs.userAssignedIdentityId.value]" + }, + "rgName": { + "value": "[variables('rgName')]" + }, + "configIds": { + "value": "[variables('configIds')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "locationSecondary": { + "type": "string" + }, + "userAssignedIdentityId": { + "type": "string" + }, + "rgName": { + "type": "string" + }, + "configIds": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deploymentScripts", + "apiVersion": "2020-10-01", + "name": "alz-avnm-deploymentscript", + "location": "[parameters('location')]", + "kind": "AzurePowerShell", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[format('{0}', parameters('userAssignedIdentityId'))]": {} + } + }, + "properties": { + "azPowerShellVersion": "12.3", + "retentionInterval": "PT1H", + "timeout": "PT1H", + "arguments": "[format('-location \"{0}\" -locationSecond \"{1}\" -rgName \"{2}\" -configIds \"{3}\" -connSubId \"{4}\"', parameters('location'), parameters('locationSecondary'), parameters('rgName'), parameters('configIds'), parameters('connectivitySubscriptionId'))]", + "scriptContent": " + param( + [string] + $location, + + [string] + $locationSecond, + + [string] + $rgName, + + [string] + $configIds, + + [string] + $connSubId + ) + + $regions = @($location, $locationSecond) + + Select-AzSubscription -SubscriptionId $connSubId + + Deploy-AzNetworkManagerCommit -ResourceGroupName $rgName -Name \"avnm\" -TargetLocation $regions -CommitType \"SecurityAdmin\" -ConfigurationId $configIds + + " + } + } + ], + "outputs": {} + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, variables('rgName')), 'Microsoft.Resources/deployments', variables('resourceDeploymentName'))]", + "[subscriptionResourceId('Microsoft.Resources/resourceGroups', variables('rgName'))]" + ] + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json new file mode 100644 index 0000000000..597d30b18f --- /dev/null +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -0,0 +1,1308 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "maxLength": 10, + "metadata": { + "description": "Provide a prefix (max 10 characters, unique at tenant-scope) for the Management Group hierarchy and other resources created as part of Enterprise-scale." + } + }, + "location": { + "type": "string", + "metadata": { + "displayName": "location", + "description": "Primary region for all resources." + }, + "defaultValue": "[deployment().location]" + }, + "locationSecondary": { + "type": "string", + "metadata": { + "displayName": "location", + "description": "Secondary region for all resources." + }, + "defaultValue": "" + }, + "connectivitySubscriptionId": { + "type": "string", + "metadata": { + "description": "Provide the subscriptionId you will place into the management group" + } + }, + "enableSecondaryRegion": { + "type": "string", + "metadata": { + "description": "Enable secondary region for instances deploying in multiple regions" + }, + "defaultValue": "No" + } + }, + "variables": { + "networkGroupIdAll": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', 'avnm-ng-all')]", + "networkGroupIdRegion1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('location')))]", + "networkGroupIdRegion2": "[if(equals(parameters('enableSecondaryRegion'), 'No'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-{0}', parameters('locationSecondary'))))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdAll'))]", + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupIdAll')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdAll'))]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "enforcementMode": "Default", + "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdAll')))]" + }, + "dependsOn": [ + "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdAll')))]" + ] + }, + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdRegion1'))]", + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupIdRegion1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdRegion1'))]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "enforcementMode": "Default", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ], + "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdRegion1')))]" + }, + "dependsOn": [ + "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdRegion1')))]" + ] + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdRegion2'))]", + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupIdRegion2')]" + } + } + } + } + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(variables('networkGroupIdRegion2'))]", + "location": "[parameters('locationSecondary')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "AVNM intermediate root group membership Policy", + "displayName": "AVNM intermediate root group membership Policy", + "enforcementMode": "Default", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } + ] + } + ], + "policyDefinitionId": "[managementGroupResourceId('Microsoft.Authorization/policyDefinitions', uniqueString(variables('networkGroupIdRegion2')))]" + }, + "dependsOn": [ + "[format('Microsoft.Authorization/policyDefinitions/{0}', uniqueString(variables('networkGroupIdRegion2')))]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "policyCorp", + "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-corp', parameters('topLevelManagementGroupPrefix')))]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, + "mgmtGroup": { + "value": "[format('{0}-corp', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "enableSecondaryRegion": { + "value": "[parameters('enableSecondaryRegion')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "locationSecondary": { + "type": "string" + }, + "mgmtGroup": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" + }, + "enableSecondaryRegion": { + "type": "string" + } + }, + "variables": { + "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-corp-{0}', parameters('location')))]", + "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'No'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-corp-{0}', parameters('locationSecondary'))))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" + ] + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId2')]" + } + } + } + } + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]" + ] + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "policyOnline", + "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-online', parameters('topLevelManagementGroupPrefix')))]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, + "mgmtGroup": { + "value": "[format('{0}-online', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "enableSecondaryRegion": { + "value": "[parameters('enableSecondaryRegion')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "locationSecondary": { + "type": "string" + }, + "mgmtGroup": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" + }, + "enableSecondaryRegion": { + "type": "string" + } + }, + "variables": { + "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-online-{0}', parameters('location')))]", + "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'No'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-online-{0}', parameters('locationSecondary'))))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" + ] + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId2')]" + } + } + } + } + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]" + ] + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "policyIdentity", + "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-identity', parameters('topLevelManagementGroupPrefix')))]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, + "mgmtGroup": { + "value": "[format('{0}-identity', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "enableSecondaryRegion": { + "value": "[parameters('enableSecondaryRegion')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "locationSecondary": { + "type": "string" + }, + "mgmtGroup": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" + }, + "enableSecondaryRegion": { + "type": "string" + } + }, + "variables": { + "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-identity-{0}', parameters('location')))]", + "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'No'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-identity-{0}', parameters('locationSecondary'))))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" + ] + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId2')]" + } + } + } + } + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]" + ] + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "policyManagement", + "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-management', parameters('topLevelManagementGroupPrefix')))]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, + "mgmtGroup": { + "value": "[format('{0}-management', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "enableSecondaryRegion": { + "value": "[parameters('enableSecondaryRegion')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "locationSecondary": { + "type": "string" + }, + "mgmtGroup": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" + }, + "enableSecondaryRegion": { + "type": "string" + } + }, + "variables": { + "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-management-{0}', parameters('location')))]", + "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'No'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-management-{0}', parameters('locationSecondary'))))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" + ] + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId2')]" + } + } + } + } + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]" + ] + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "policyConnectivity", + "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-connectivity', parameters('topLevelManagementGroupPrefix')))]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, + "mgmtGroup": { + "value": "[format('{0}-connectivity', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "enableSecondaryRegion": { + "value": "[parameters('enableSecondaryRegion')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "locationSecondary": { + "type": "string" + }, + "mgmtGroup": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" + }, + "enableSecondaryRegion": { + "type": "string" + } + }, + "variables": { + "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-connectivity-{0}', parameters('location')))]", + "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'No'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-connectivity-{0}', parameters('locationSecondary'))))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" + ] + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId2')]" + } + } + } + } + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]" + ] + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "policySandbox", + "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-sandboxes', parameters('topLevelManagementGroupPrefix')))]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, + "mgmtGroup": { + "value": "[format('{0}-sandboxes', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "enableSecondaryRegion": { + "value": "[parameters('enableSecondaryRegion')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "locationSecondary": { + "type": "string" + }, + "mgmtGroup": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" + }, + "enableSecondaryRegion": { + "type": "string" + } + }, + "variables": { + "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-sandbox-{0}', parameters('location')))]", + "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'No'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-sandbox-{0}', parameters('locationSecondary'))))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" + ] + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId2')]" + } + } + } + } + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]" + ] + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "policyDecommissioned", + "scope": "[format('Microsoft.Management/managementGroups/{0}', format('{0}-decommissioned', parameters('topLevelManagementGroupPrefix')))]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "locationSecondary": { + "value": "[parameters('locationSecondary')]" + }, + "mgmtGroup": { + "value": "[format('{0}-decommissioned', parameters('topLevelManagementGroupPrefix'))]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "enableSecondaryRegion": { + "value": "[parameters('enableSecondaryRegion')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "locationSecondary": { + "type": "string" + }, + "mgmtGroup": { + "type": "string" + }, + "connectivitySubscriptionId": { + "type": "string" + }, + "enableSecondaryRegion": { + "type": "string" + } + }, + "variables": { + "networkGroupId1": "[resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-decommissioned-{0}', parameters('location')))]", + "networkGroupId2": "[if(equals(parameters('enableSecondaryRegion'), 'No'), '', resourceId(parameters('connectivitySubscriptionId'), 'rg-alz-avnm', 'Microsoft.Network/networkManagers/networkGroups', 'avnm', format('avnm-ng-decommissioned-{0}', parameters('locationSecondary'))))]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId1')]" + } + } + } + } + }, + { + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}1', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('location')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('location')))]" + ] + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2023-04-01", + "name": "[format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary'))]", + "properties": { + "policyType": "Custom", + "mode": "Microsoft.Network.Data", + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + } + ] + }, + "then": { + "effect": "addToNetworkGroup", + "details": { + "networkGroupId": "[variables('networkGroupId2')]" + } + } + } + } + }, + { + "condition": "[equals(parameters('enableSecondaryRegion'), 'Yes')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2023-04-01", + "name": "[uniqueString(format('ALZAvnmPolicyAssignment{0}2', parameters('mgmtGroup')))]", + "properties": { + "policyDefinitionId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]", + "resourceSelectors": [ + { + "name": "regionalResource", + "selectors": [ + { + "kind": "ResourceLocation", + "in": [ + "[parameters('locationSecondary')]" + ] + } + ] + } + ] + }, + "dependsOn": [ + "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyDefinitions', format('ALZAvnmPolicy{0}{1}', parameters('mgmtGroup'), parameters('locationSecondary')))]" + ] + } + ] + } + } + } + ] +} \ No newline at end of file From 17745a07a05a3b1f5fc82aada83a9fd314b26ef3 Mon Sep 17 00:00:00 2001 From: Cassie Kays <86622587+cassiekays@users.noreply.github.com> Date: Wed, 15 Jan 2025 23:49:57 -0800 Subject: [PATCH 11/18] Encrypt transit update (#1865) Co-authored-by: Sacha Narinx --- docs/wiki/ALZ-Deprecated-Services.md | 1 + docs/wiki/Whats-new.md | 1 + ...-DINE-APPEND-TLS-SSL-PolicyAssignment.json | 2 +- .../policyDefinitions/initiatives.json | 122 +-- .../customRoleDefinitions.json | 4 +- .../Enforce-EncryptTransit_20240509.json | 10 +- .../Enforce-EncryptTransit_20241211.json | 956 ++++++++++++++++++ src/templates/initiatives.bicep | 1 + 8 files changed, 1030 insertions(+), 67 deletions(-) create mode 100644 src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20241211.json diff --git a/docs/wiki/ALZ-Deprecated-Services.md b/docs/wiki/ALZ-Deprecated-Services.md index 564b945fbd..1ce54a74b5 100644 --- a/docs/wiki/ALZ-Deprecated-Services.md +++ b/docs/wiki/ALZ-Deprecated-Services.md @@ -34,6 +34,7 @@ Policies being deprecated: | Deploy SQL Database Vulnerability Assessments
ID: [`Deploy-Sql-vulnerabilityAssessments`](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments.html) | [`Deploy-Sql-vulnerabilityAssessments_20230706`](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments_20230706.html) | Custom policy replaced by updated custom policy providing bug fix | | Deploy Microsoft Defender for Cloud configuration
ID: [`Deploy-MDFC-Config`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config.html) | [`Deploy-MDFC-Config_20240319`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) | Custom initiative replaced by updated custom initiative due to breaking changes | | Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit
ID: [`Enforce-EncryptTransit`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit.html) | [`Enforce-EncryptTransit_20240509`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html) | Custom initiative replaced by updated custom initiative due to breaking changes | +| Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit
ID: [`Enforce-EncryptTransit_20240509`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit.html) | [`Enforce-EncryptTransit_20241211`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20241211.html) | Custom initiative replaced by updated custom initiative due to breaking changes | | Deploy SQL Database built-in SQL security configuration
ID: [`Deploy-SQL-Security`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-SQL-Security.html) | [`Deploy-SQL-Security_20240529`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-SQL-Security_20240529.html) | Custom initiative replaced by updated custom initiative due to breaking changes | | Configure SQL VM and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LAW
ID: `Deploy-MDFC-DefenderSQL-AMA` | [`de01d381-bae9-4670-8870-786f89f49e26`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/de01d381-bae9-4670-8870-786f89f49e26.html) | Custom policy replaced by built-in requires less administration overhead | | Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL
ID: `Deploy-MDFC-SQL-DefenderSQL` | [`ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce`](https://www.azadvertizer.net/azpolicyadvertizer/ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce.html) | Custom policy replaced by built-in requires less administration overhead | diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index b3fdeeccd8..18e736ffdd 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -63,6 +63,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: - Updated the policy and policySet definition API version `2023-04-01` to supporting policy versioning. In this repo, this is used in the master policies.json and initiatives.json files, that are built from individual policy and initiative files in the src folder. - Added description for custom ALZ policy [Deny-Subnet-Without-Penp](https://www.azadvertizer.net/azpolicyadvertizer/Deny-Subnet-Without-Penp.html) to the [ALZ Policies Extra](./ALZ-Policies-Extra) wiki page. - Updated initiative [Enforce-EncryptTransit_20240509](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html) `AppServiceMinTlsVersion` parameter to include TLS version 1.3 (as supported by the policy). +- Removed duplicate policy assignment "Container Apps should only be accessible over HTTPS" from initiative [Enforce-EncryptTransit_20241211](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_2024.html). Note, this is a breaking change, and existing assignments should be removed and re-assigned. - Added new custom policies [Audit-Tags-Mandatory](https://www.azadvertizer.net/azpolicyadvertizer/Audit-Tags-Mandatory.html) and [Audit-Tags-Mandatory-Rg](https://www.azadvertizer.net/azpolicyadvertizer/Audit-Tags-Mandatory-Rg.html) to support auditing for the existence of mandatory tags (based on an array of tags). Not assigned by default. ### December 2024 diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json index 717b54509a..6ab58e86dd 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json @@ -23,7 +23,7 @@ }, "variables": { "policyDefinitions": { - "deployEncryptionInTransit": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509')]" + "deployEncryptionInTransit": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20241211')]" }, "policyAssignmentNames": { "deployEncryptionInTransit": "Enforce-TLS-SSL-H224", diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json index 5045df57f0..2590865b25 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.31.34.60546", - "templateHash": "10867486657225631259" + "version": "0.32.4.45862", + "templateHash": "4520699863553122349" } }, "parameters": { @@ -78,60 +78,61 @@ ], "$fxv#0": "{\n \"name\": \"Audit-UnusedResourcesCostOptimization\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Unused resources driving cost should be avoided\",\n \"description\": \"Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost.\",\n \"metadata\": {\n \"version\": \"2.1.0\",\n \"category\": \"Cost Optimization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectDisks\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Disks Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Compute/disks\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectPublicIpAddresses\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PublicIpAddresses Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Network/publicIpAddresses\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectServerFarms\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"ServerFarms Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Web/serverfarms\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AuditDisksUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDisks')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditPublicIpAddressesUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectPublicIpAddresses')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditServerFarmsUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectServerFarms')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditAzureHybridBenefitUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Audit\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#1": "{\n \"name\": \"Audit-TrustedLaunch\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Audit virtual machines for Trusted Launch support\",\n \"description\": \"Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Trusted Launch\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AuditDisksOsTrustedLaunch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b03bb370-5249-4ea4-9fce-2552e87e45fa\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditTrustedLaunchEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95b54ad-0614-4633-ab29-104b01235cbf\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#10": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.2.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Soft Delete\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Purge Protection\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Secrets Expiry\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Keys Expiry\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Firewall Enabled\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Certificate Lifetime\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Keys Lifetime\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Secrets Lifetime\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultManagedHsmCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"definitionVersion\": \"3.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"definitionVersion\": \"3.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57\",\n \"policyDefinitionReferenceId\": \"Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#11": "{\n \"name\": \"Enforce-Guardrails-APIM\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for API Management\",\n \"description\": \"This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"API Management\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"apiSubscriptionScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"minimumApiVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSkuVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"apimApiBackendCertValidation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDirectApiEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimCallApiAuthn\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimEncryptedProtocols\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimVnetUsage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSecrets\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Kv\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSecrets')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Vnet\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimVnetUsage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS\",\n \"policyDefinitionReferenceId\": \"Deny-APIM-TLS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Protocols\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimEncryptedProtocols')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Authn\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimCallApiAuthn')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Direct-Endpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDirectApiEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Cert-Validation\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimApiBackendCertValidation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2\",\n \"policyDefinitionReferenceId\": \"Dine-Apim-Public-NetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Sku-Vnet\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSkuVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('minimumApiVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1\",\n \"policyDefinitionReferenceId\": \"Deny-Api-subscription-scope\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apiSubscriptionScope')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#12": "{\n \"name\": \"Enforce-Guardrails-AppServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for App Service\",\n \"description\": \"This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"functionAppDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceSkuPl\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuthFtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceScmAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsVnetRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceEnvLatestVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceByoc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Byoc\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceByoc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Remote-Debugging\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Remote-Debugging\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Latest-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceEnvLatestVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Vnet-Routing\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsVnetRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Rfc\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222\",\n \"policyDefinitionReferenceId\": \"Deny-AppServiceApps-Rfc\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb\",\n \"policyDefinitionReferenceId\": \"DINE-FuncApp-Debugging\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-ScmAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceScmAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-Routing\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-FtpAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuthFtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-SkuPl\",\n \"definitionVersion\": \"4.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceSkuPl')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-LocalAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-Debugging\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Https\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Https\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Apps-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-App-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#13": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"autoHotPatch\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc\",\n \"policyDefinitionReferenceId\": \"Deny-Windows-Vm-HotPatch\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('autoHotPatch')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#14": "{\n \"name\": \"Enforce-Guardrails-BotService\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Bot Service\",\n \"description\": \"This policy initiative is a group of policies that ensures Bot Service is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Bot Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"botServiceValidUri\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"audit\",\n \"Deny\",\n \"deny\",\n \"Disabled\",\n \"disabled\"\n ]\n },\n \"botServiceIsolatedMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"audit\",\n \"Deny\",\n \"deny\",\n \"Disabled\",\n \"disabled\"\n ]\n },\n \"botServiceLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"botServicePrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6164527b-e1ee-4882-8673-572f425f5e0a\",\n \"policyDefinitionReferenceId\": \"Deny-BotService-Valid-Uri\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServiceValidUri')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/52152f42-0dda-40d9-976e-abb1acdd611e\",\n \"policyDefinitionReferenceId\": \"Deny-BotService-Isolated-Mode\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServiceIsolatedMode')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffea632e-4e3a-4424-bf78-10e179bb2e1a\",\n \"policyDefinitionReferenceId\": \"Deny-BotService-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServiceLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad5621d6-a877-4407-aa93-a950b428315e\",\n \"policyDefinitionReferenceId\": \"Audit-BotService-Private-Link\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServicePrivateLink')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#15": "{\n \"name\": \"Enforce-Guardrails-CognitiveServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cognitive Services\",\n \"description\": \"This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveSearchSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesCustomerStorage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesResourceLogs\": {\n \"type\": \"string\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-SKU\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6300012e-e9a4-4649-b41f-a85f5c43be91\",\n \"policyDefinitionReferenceId\": \"Deny-CongitiveSearch-LocalAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4eb216f2-9dba-4979-86e6-5d7e63ce3b75\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-LocalAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9cee519f-d9c1-4fd9-9f79-24ec3449ed30\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Public-Network-Access\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Managed-Identity\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Customer-Storage\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesCustomerStorage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\n \"policyDefinitionReferenceId\": \"Aine-Cognitive-Services-Resource-Logs\",\n \"definitionVersion\": \"5.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesResourceLogs')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#16": "{\n \"name\": \"Enforce-Guardrails-Compute\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Compute\",\n \"description\": \"This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Compute\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"diskDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vmAndVmssEncryptionHost\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87\",\n \"policyDefinitionReferenceId\": \"Deny-VmAndVmss-Encryption-Host\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vmAndVmssEncryptionHost')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816\",\n \"policyDefinitionReferenceId\": \"Deny-Disk-Double-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('diskDoubleEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#17": "{\n \"name\": \"Enforce-Guardrails-ContainerApps\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsVnetInjection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApp-Vnet-Injection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsVnetInjection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#18": "{\n \"name\": \"Enforce-Guardrails-ContainerInstance\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Container Instances\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerInstanceVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Vnet\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceVnet')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#19": "{\n \"name\": \"Enforce-Guardrails-ContainerRegistry\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Registry\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Container Registry\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerRegistryUnrestrictedNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryExports\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistrySkuPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a9b426fe-8856-4945-8600-18c5dd1cca2a\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Repo-Token\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/42781ec6-6127-4c30-bdfa-fb423a0047d3\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Arm-Audience\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/785596ed-054f-41bc-aaec-7f3d0ba05725\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Arm-Audience\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd560fc0-3c69-498a-ae9f-aa8eb7de0e13\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Sku-PrivateLink\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistrySkuPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Anonymous-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Anonymous-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/524b0254-c285-4903-bee6-bb8126cde579\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Exports\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryExports')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff05e24e-195c-447e-b322-5e90c9f9f366\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Repo-Token\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Unrestricted-Network-Access\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryUnrestrictedNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3701552-92ea-433e-9d17-33b7f1208fc9\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#10": "{\n \"name\": \"Deploy-AUM-CheckUpdates\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines\",\n \"description\": \"Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"assessmentMode\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Assessment mode\",\n \"description\": \"Assessment mode for the machines.\"\n },\n \"allowedValues\": [\n \"ImageDefault\",\n \"AutomaticByPlatform\"\n ],\n \"defaultValue\": \"AutomaticByPlatform\"\n },\n \"locations\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Machines locations\",\n \"description\": \"The list of locations from which machines need to be targeted.\",\n \"strongType\": \"location\"\n },\n \"defaultValue\": []\n },\n \"tagValues\": {\n \"type\": \"Object\",\n \"metadata\": {\n \"displayName\": \"Tags on machines\",\n \"description\": \"The list of tags that need to matched for getting target machines.\"\n },\n \"defaultValue\": {}\n },\n \"tagOperator\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Tag operator\",\n \"description\": \"Matching condition for resource tags\"\n },\n \"allowedValues\": [\n \"All\",\n \"Any\"\n ],\n \"defaultValue\": \"Any\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#11": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.2.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Soft Delete\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Purge Protection\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Secrets Expiry\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Keys Expiry\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Firewall Enabled\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Certificate Lifetime\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Keys Lifetime\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Secrets Lifetime\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultManagedHsmCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"definitionVersion\": \"3.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"definitionVersion\": \"3.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57\",\n \"policyDefinitionReferenceId\": \"Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#12": "{\n \"name\": \"Enforce-Guardrails-APIM\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for API Management\",\n \"description\": \"This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"API Management\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"apiSubscriptionScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"minimumApiVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSkuVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"apimApiBackendCertValidation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDirectApiEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimCallApiAuthn\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimEncryptedProtocols\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimVnetUsage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSecrets\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Kv\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSecrets')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Vnet\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimVnetUsage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS\",\n \"policyDefinitionReferenceId\": \"Deny-APIM-TLS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Protocols\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimEncryptedProtocols')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Authn\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimCallApiAuthn')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Direct-Endpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDirectApiEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Cert-Validation\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimApiBackendCertValidation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2\",\n \"policyDefinitionReferenceId\": \"Dine-Apim-Public-NetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Sku-Vnet\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSkuVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('minimumApiVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1\",\n \"policyDefinitionReferenceId\": \"Deny-Api-subscription-scope\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apiSubscriptionScope')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#13": "{\n \"name\": \"Enforce-Guardrails-AppServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for App Service\",\n \"description\": \"This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"functionAppDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceSkuPl\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuthFtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceScmAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsVnetRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceEnvLatestVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceByoc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Byoc\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceByoc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Remote-Debugging\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Remote-Debugging\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Latest-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceEnvLatestVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Vnet-Routing\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsVnetRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Rfc\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222\",\n \"policyDefinitionReferenceId\": \"Deny-AppServiceApps-Rfc\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb\",\n \"policyDefinitionReferenceId\": \"DINE-FuncApp-Debugging\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-ScmAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceScmAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-Routing\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-FtpAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuthFtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-SkuPl\",\n \"definitionVersion\": \"4.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceSkuPl')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-LocalAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-Debugging\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Https\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Https\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Apps-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-App-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#14": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"autoHotPatch\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc\",\n \"policyDefinitionReferenceId\": \"Deny-Windows-Vm-HotPatch\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('autoHotPatch')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#15": "{\n \"name\": \"Enforce-Guardrails-BotService\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Bot Service\",\n \"description\": \"This policy initiative is a group of policies that ensures Bot Service is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Bot Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"botServiceValidUri\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"audit\",\n \"Deny\",\n \"deny\",\n \"Disabled\",\n \"disabled\"\n ]\n },\n \"botServiceIsolatedMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"audit\",\n \"Deny\",\n \"deny\",\n \"Disabled\",\n \"disabled\"\n ]\n },\n \"botServiceLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"botServicePrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6164527b-e1ee-4882-8673-572f425f5e0a\",\n \"policyDefinitionReferenceId\": \"Deny-BotService-Valid-Uri\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServiceValidUri')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/52152f42-0dda-40d9-976e-abb1acdd611e\",\n \"policyDefinitionReferenceId\": \"Deny-BotService-Isolated-Mode\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServiceIsolatedMode')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffea632e-4e3a-4424-bf78-10e179bb2e1a\",\n \"policyDefinitionReferenceId\": \"Deny-BotService-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServiceLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad5621d6-a877-4407-aa93-a950b428315e\",\n \"policyDefinitionReferenceId\": \"Audit-BotService-Private-Link\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServicePrivateLink')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#16": "{\n \"name\": \"Enforce-Guardrails-CognitiveServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cognitive Services\",\n \"description\": \"This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveSearchSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesCustomerStorage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesResourceLogs\": {\n \"type\": \"string\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-SKU\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6300012e-e9a4-4649-b41f-a85f5c43be91\",\n \"policyDefinitionReferenceId\": \"Deny-CongitiveSearch-LocalAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4eb216f2-9dba-4979-86e6-5d7e63ce3b75\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-LocalAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9cee519f-d9c1-4fd9-9f79-24ec3449ed30\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Public-Network-Access\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Managed-Identity\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Customer-Storage\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesCustomerStorage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\n \"policyDefinitionReferenceId\": \"Aine-Cognitive-Services-Resource-Logs\",\n \"definitionVersion\": \"5.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesResourceLogs')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#17": "{\n \"name\": \"Enforce-Guardrails-Compute\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Compute\",\n \"description\": \"This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Compute\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"diskDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vmAndVmssEncryptionHost\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87\",\n \"policyDefinitionReferenceId\": \"Deny-VmAndVmss-Encryption-Host\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vmAndVmssEncryptionHost')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816\",\n \"policyDefinitionReferenceId\": \"Deny-Disk-Double-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('diskDoubleEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#18": "{\n \"name\": \"Enforce-Guardrails-ContainerApps\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsVnetInjection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApp-Vnet-Injection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsVnetInjection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#19": "{\n \"name\": \"Enforce-Guardrails-ContainerInstance\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Container Instances\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerInstanceVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Vnet\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceVnet')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#2": "{\n \"name\": \"Deploy-Sql-Security\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy SQL Database built-in SQL security configuration\",\n \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-Sql-Security_20240529.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-Sql-Security_20240529\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"metadata\": {\n \"description\": \"The email address to send alerts\",\n \"displayName\": \"The email address to send alerts\"\n },\n \"type\": \"String\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n },\n \"type\": \"String\"\n },\n \"SqlDbTdeDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n }\n },\n \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n }\n },\n \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL database auditing settings\",\n \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n }\n },\n \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#20": "{\n \"name\": \"Enforce-Guardrails-CosmosDb\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbAtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\n \"policyDefinitionReferenceId\": \"Dine-CosmosDb-Atp\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbAtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#21": "{\n \"name\": \"Enforce-Guardrails-DataExplorer\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Explorer\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Explorer is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Azure Data Explorer\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adxEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1fec9658-933f-4b3e-bc95-913ed22d012b\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Sku-without-PL-Support\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Double-Encryption\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Encryption\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7b32f193-cb28-4e15-9a98-b9556db0bafa\",\n \"policyDefinitionReferenceId\": \"Modify-ADX-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#22": "{\n \"name\": \"Enforce-Guardrails-DataFactory\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Factory\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Data Factory\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adfSqlIntegration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfLinkedServiceKeyVault\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfGit\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f78ccdb4-7bf4-4106-8647-270491d2978a\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Managed-Identity\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/77d40665-3120-4348-b539-3192ec808307\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Git\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfGit')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/127ef6d7-242f-43b3-9eef-947faf1725d0\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Linked-Service-Key-Vault\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfLinkedServiceKeyVault')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0088bc63-6dee-4a9c-9d29-91cfdc848952\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Sql-Integration\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfSqlIntegration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08b1442b-7789-4130-8506-4f99a97226a7\",\n \"policyDefinitionReferenceId\": \"Modify-Adf-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#23": "{\n \"name\": \"Enforce-Guardrails-EventGrid\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Grid\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Grid is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Event Grid\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventGridLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2dd0e8b9-4289-4bb0-b813-1883298e9924\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Partner-Namespace-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae9fb87f-8a17-4428-94a4-8135d431055c\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c8144d9-746a-4501-b08c-093c8d29ad04\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8632b003-3545-4b29-85e6-b2b96773df1e\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Partner-Namespace-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8bfadddb-ee1c-4639-8911-a38cb8e0b3bd\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/898e9824-104c-4965-8e0e-5197588fa5d4\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/36ea4b4b-0f7f-4a54-89fa-ab18f555a172\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#24": "{\n \"name\": \"Enforce-Guardrails-EventHub\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Hub\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Event Hub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventHubAuthRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/836cd60e-87f3-4e6a-a27c-29d687f01a4c\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Double-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/57f35901-8389-40bb-ac49-3ba4f86d889d\",\n \"policyDefinitionReferenceId\": \"Modify-EH-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5d4e3c65-4873-47be-94f3-6f8b953a3598\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Auth-Rules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubAuthRules')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#25": "{\n \"name\": \"Enforce-Guardrails-KeyVault-Sup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce additional recommended guardrails for Key Vault\",\n \"description\": \"This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"keyVaultManagedHsmDisablePublicNetworkModify\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"keyVaultModifyFw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456\",\n \"policyDefinitionReferenceId\": \"Modify-KV-PublicNetworkAccess\",\n \"definitionVersion\": \"2.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\",\n \"policyDefinitionReferenceId\": \"Modify-KV-Fw\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultModifyFw')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#26": "{\n \"name\": \"Enforce-Guardrails-Kubernetes\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Kubernetes\",\n \"description\": \"This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Kubernetes\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aksKms\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksCni\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivateCluster\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksCommandInvoke\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksReadinessOrLivenessProbes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivContainers\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksPrivEscalation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksAllowedCapabilities\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksTempDisk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksInternalLb\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksDefaultNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksNakedPods\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksShareHostProcessAndNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksWindowsContainerAdministrator\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5485eac0-7e8f-4964-998b-a44f4f0c1e75\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Windows-Container-Administrator\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksWindowsContainerAdministrator')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Shared-Host-Process-Namespace\",\n \"definitionVersion\": \"5.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksShareHostProcessAndNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65280eef-c8b4-425e-9aec-af55e55bf581\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Naked-Pods\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksNakedPods')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Default-Namespace\",\n \"definitionVersion\": \"4.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksDefaultNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Internal-Lb\",\n \"definitionVersion\": \"8.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksInternalLb')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Temp-Disk-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksTempDisk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Allowed-Capabilities\",\n \"definitionVersion\": \"6.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksAllowedCapabilities')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Escalation\",\n \"definitionVersion\": \"7.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivEscalation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Containers\",\n \"definitionVersion\": \"9.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivContainers')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b1a9997f-2883-4f12-bdff-2280f99b5915\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-ReadinessOrLiveness-Probes\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksReadinessOrLivenessProbes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b708b0a-3380-40e9-8b79-821f9fa224cc\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Command-Invoke\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCommandInvoke')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Policy\",\n \"definitionVersion\": \"4.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPolicy')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Private-Cluster\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivateCluster')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dbbdc317-9734-4dd8-9074-993b29c69008\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Kms\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksKms')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46238e2f-3f6f-4589-9f3f-77bed4116e67\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Cni\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCni')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#27": "{\n \"name\": \"Enforce-Guardrails-MachineLearning\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Machine Learning\",\n \"description\": \"This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mlUserAssignedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"mlLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlOutdatedOS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"mlIdleShutdown\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlVirtualNetwork\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlLegacyMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlResourceLogs\": {\n \"type\": \"string\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"mlAllowedRegistryDeploy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlAllowedModule\": {\n \"type\": \"string\",\n \"defaultValue\": \"enforceSetting\",\n \"allowedValues\": [\n \"enforceSetting\",\n \"disabled\"\n ]\n },\n \"mlAllowedPython\": {\n \"type\": \"string\",\n \"defaultValue\": \"enforceSetting\",\n \"allowedValues\": [\n \"enforceSetting\",\n \"disabled\"\n ]\n },\n \"mlAllowedRegistries\": {\n \"type\": \"string\",\n \"defaultValue\": \"enforceSetting\",\n \"allowedValues\": [\n \"enforceSetting\",\n \"disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Outdated-Os\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effects\": {\n \"value\": \"[[parameters('mlOutdatedOS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Local-Auth\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6f9a2d0-cff7-4855-83ad-4cd750666512\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Local-Auth\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0c7d88-c7de-45b8-ac49-db49e72eaa78\",\n \"policyDefinitionReferenceId\": \"Deny-ML-User-Assigned-Identity\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlUserAssignedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a10ee784-7409-4941-b091-663697637c0f\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/679ddf89-ab8f-48a5-9029-e76054077449\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Idle-Shutdown\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlIdleShutdown')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7804b5c7-01dc-4723-969b-ae300cc07ff1\",\n \"policyDefinitionReferenceId\": \"Audit-ML-Virtual-Network\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlVirtualNetwork')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e413671a-dd10-4cc1-a943-45b598596cb7\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Legacy-Mode\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlLegacyMode')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/45e05259-1eb5-4f70-9574-baf73e9d219b\",\n \"policyDefinitionReferenceId\": \"Audit-ML-Private-Link\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/afe0c3be-ba3b-4544-ba52-0c99672a8ad6\",\n \"policyDefinitionReferenceId\": \"Aine-ML-Resource-Logs\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlResourceLogs')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/19539b54-c61e-4196-9a38-67598701be90\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Allowed-Registry-Deploy\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlAllowedRegistryDeploy')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/53c70b02-63dd-11ea-bc55-0242ac130003\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Allowed-Module\",\n \"definitionVersion\": \"6.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlAllowedModule')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/77eeea86-7e81-4a7d-9067-de844d096752\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Allowed-Python\",\n \"definitionVersion\": \"5.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlAllowedPython')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5853517a-63de-11ea-bc55-0242ac130003\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Allowed-Registries\",\n \"definitionVersion\": \"6.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlAllowedRegistries')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#28": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mySqlInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Infra-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlInfraEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#29": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Audit\",\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafAfdEnabled\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Allow\",\n \"Deny\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Afd-Enabled\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafAfdEnabled')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#20": "{\n \"name\": \"Enforce-Guardrails-ContainerRegistry\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Registry\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Container Registry\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerRegistryUnrestrictedNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryExports\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistrySkuPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a9b426fe-8856-4945-8600-18c5dd1cca2a\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Repo-Token\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/42781ec6-6127-4c30-bdfa-fb423a0047d3\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Arm-Audience\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/785596ed-054f-41bc-aaec-7f3d0ba05725\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Arm-Audience\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd560fc0-3c69-498a-ae9f-aa8eb7de0e13\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Sku-PrivateLink\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistrySkuPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Anonymous-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Anonymous-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/524b0254-c285-4903-bee6-bb8126cde579\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Exports\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryExports')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff05e24e-195c-447e-b322-5e90c9f9f366\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Repo-Token\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Unrestricted-Network-Access\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryUnrestrictedNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3701552-92ea-433e-9d17-33b7f1208fc9\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#21": "{\n \"name\": \"Enforce-Guardrails-CosmosDb\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbAtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\n \"policyDefinitionReferenceId\": \"Dine-CosmosDb-Atp\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbAtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#22": "{\n \"name\": \"Enforce-Guardrails-DataExplorer\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Explorer\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Explorer is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Azure Data Explorer\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adxEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1fec9658-933f-4b3e-bc95-913ed22d012b\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Sku-without-PL-Support\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Double-Encryption\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Encryption\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7b32f193-cb28-4e15-9a98-b9556db0bafa\",\n \"policyDefinitionReferenceId\": \"Modify-ADX-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#23": "{\n \"name\": \"Enforce-Guardrails-DataFactory\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Factory\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Data Factory\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adfSqlIntegration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfLinkedServiceKeyVault\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfGit\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f78ccdb4-7bf4-4106-8647-270491d2978a\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Managed-Identity\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/77d40665-3120-4348-b539-3192ec808307\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Git\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfGit')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/127ef6d7-242f-43b3-9eef-947faf1725d0\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Linked-Service-Key-Vault\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfLinkedServiceKeyVault')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0088bc63-6dee-4a9c-9d29-91cfdc848952\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Sql-Integration\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfSqlIntegration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08b1442b-7789-4130-8506-4f99a97226a7\",\n \"policyDefinitionReferenceId\": \"Modify-Adf-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#24": "{\n \"name\": \"Enforce-Guardrails-EventGrid\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Grid\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Grid is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Event Grid\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventGridLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2dd0e8b9-4289-4bb0-b813-1883298e9924\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Partner-Namespace-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae9fb87f-8a17-4428-94a4-8135d431055c\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c8144d9-746a-4501-b08c-093c8d29ad04\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8632b003-3545-4b29-85e6-b2b96773df1e\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Partner-Namespace-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8bfadddb-ee1c-4639-8911-a38cb8e0b3bd\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/898e9824-104c-4965-8e0e-5197588fa5d4\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/36ea4b4b-0f7f-4a54-89fa-ab18f555a172\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#25": "{\n \"name\": \"Enforce-Guardrails-EventHub\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Hub\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Event Hub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventHubAuthRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/836cd60e-87f3-4e6a-a27c-29d687f01a4c\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Double-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/57f35901-8389-40bb-ac49-3ba4f86d889d\",\n \"policyDefinitionReferenceId\": \"Modify-EH-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5d4e3c65-4873-47be-94f3-6f8b953a3598\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Auth-Rules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubAuthRules')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#26": "{\n \"name\": \"Enforce-Guardrails-KeyVault-Sup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce additional recommended guardrails for Key Vault\",\n \"description\": \"This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"keyVaultManagedHsmDisablePublicNetworkModify\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"keyVaultModifyFw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456\",\n \"policyDefinitionReferenceId\": \"Modify-KV-PublicNetworkAccess\",\n \"definitionVersion\": \"2.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\",\n \"policyDefinitionReferenceId\": \"Modify-KV-Fw\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultModifyFw')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#27": "{\n \"name\": \"Enforce-Guardrails-Kubernetes\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Kubernetes\",\n \"description\": \"This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Kubernetes\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aksKms\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksCni\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivateCluster\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksCommandInvoke\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksReadinessOrLivenessProbes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivContainers\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksPrivEscalation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksAllowedCapabilities\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksTempDisk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksInternalLb\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksDefaultNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksNakedPods\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksShareHostProcessAndNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksWindowsContainerAdministrator\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5485eac0-7e8f-4964-998b-a44f4f0c1e75\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Windows-Container-Administrator\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksWindowsContainerAdministrator')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Shared-Host-Process-Namespace\",\n \"definitionVersion\": \"5.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksShareHostProcessAndNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65280eef-c8b4-425e-9aec-af55e55bf581\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Naked-Pods\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksNakedPods')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Default-Namespace\",\n \"definitionVersion\": \"4.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksDefaultNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Internal-Lb\",\n \"definitionVersion\": \"8.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksInternalLb')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Temp-Disk-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksTempDisk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Allowed-Capabilities\",\n \"definitionVersion\": \"6.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksAllowedCapabilities')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Escalation\",\n \"definitionVersion\": \"7.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivEscalation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Containers\",\n \"definitionVersion\": \"9.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivContainers')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b1a9997f-2883-4f12-bdff-2280f99b5915\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-ReadinessOrLiveness-Probes\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksReadinessOrLivenessProbes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b708b0a-3380-40e9-8b79-821f9fa224cc\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Command-Invoke\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCommandInvoke')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Policy\",\n \"definitionVersion\": \"4.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPolicy')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Private-Cluster\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivateCluster')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dbbdc317-9734-4dd8-9074-993b29c69008\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Kms\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksKms')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46238e2f-3f6f-4589-9f3f-77bed4116e67\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Cni\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCni')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#28": "{\n \"name\": \"Enforce-Guardrails-MachineLearning\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Machine Learning\",\n \"description\": \"This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mlUserAssignedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"mlLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlOutdatedOS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"mlIdleShutdown\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlVirtualNetwork\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlLegacyMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlResourceLogs\": {\n \"type\": \"string\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"mlAllowedRegistryDeploy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlAllowedModule\": {\n \"type\": \"string\",\n \"defaultValue\": \"enforceSetting\",\n \"allowedValues\": [\n \"enforceSetting\",\n \"disabled\"\n ]\n },\n \"mlAllowedPython\": {\n \"type\": \"string\",\n \"defaultValue\": \"enforceSetting\",\n \"allowedValues\": [\n \"enforceSetting\",\n \"disabled\"\n ]\n },\n \"mlAllowedRegistries\": {\n \"type\": \"string\",\n \"defaultValue\": \"enforceSetting\",\n \"allowedValues\": [\n \"enforceSetting\",\n \"disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Outdated-Os\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effects\": {\n \"value\": \"[[parameters('mlOutdatedOS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Local-Auth\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6f9a2d0-cff7-4855-83ad-4cd750666512\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Local-Auth\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0c7d88-c7de-45b8-ac49-db49e72eaa78\",\n \"policyDefinitionReferenceId\": \"Deny-ML-User-Assigned-Identity\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlUserAssignedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a10ee784-7409-4941-b091-663697637c0f\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/679ddf89-ab8f-48a5-9029-e76054077449\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Idle-Shutdown\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlIdleShutdown')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7804b5c7-01dc-4723-969b-ae300cc07ff1\",\n \"policyDefinitionReferenceId\": \"Audit-ML-Virtual-Network\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlVirtualNetwork')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e413671a-dd10-4cc1-a943-45b598596cb7\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Legacy-Mode\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlLegacyMode')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/45e05259-1eb5-4f70-9574-baf73e9d219b\",\n \"policyDefinitionReferenceId\": \"Audit-ML-Private-Link\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/afe0c3be-ba3b-4544-ba52-0c99672a8ad6\",\n \"policyDefinitionReferenceId\": \"Aine-ML-Resource-Logs\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlResourceLogs')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/19539b54-c61e-4196-9a38-67598701be90\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Allowed-Registry-Deploy\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlAllowedRegistryDeploy')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/53c70b02-63dd-11ea-bc55-0242ac130003\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Allowed-Module\",\n \"definitionVersion\": \"6.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlAllowedModule')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/77eeea86-7e81-4a7d-9067-de844d096752\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Allowed-Python\",\n \"definitionVersion\": \"5.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlAllowedPython')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5853517a-63de-11ea-bc55-0242ac130003\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Allowed-Registries\",\n \"definitionVersion\": \"6.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlAllowedRegistries')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#29": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mySqlInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Infra-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlInfraEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#3": "{\n \"name\": \"Deploy-Sql-Security_20240529\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy SQL Database built-in SQL security configuration\",\n \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-Sql-Security\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"metadata\": {\n \"description\": \"The email address to send alerts\",\n \"displayName\": \"The email address to send alerts\"\n },\n \"type\": \"Array\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n },\n \"type\": \"String\"\n },\n \"SqlDbTdeDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n }\n },\n \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n }\n },\n \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL database auditing settings\",\n \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n }\n },\n \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#30": "{\n \"name\": \"Enforce-Guardrails-OpenAI\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Open AI (Cognitive Service)\",\n \"description\": \"This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveServicesOutboundNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAcls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesCustomerStorage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"azureAiNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"azureAiPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"azureAiDisableLocalKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"azureAiDisableLocalKey2\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"azureAiDiagSettings\": {\n \"type\": \"string\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-OutboundNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesOutboundNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-NetworkAcls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAcls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Managed-Identity\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Cust-Storage\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesCustomerStorage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\n \"policyDefinitionReferenceId\": \"Deny-AzureAI-Network-Access\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6759c02-b87f-42b7-892e-71b3f471d782\",\n \"policyDefinitionReferenceId\": \"Audit-AzureAI-Private-Link\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d45520cb-31ca-44ba-8da2-fcf914608544\",\n \"policyDefinitionReferenceId\": \"Dine-AzureAI-Local-Key\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiDisableLocalKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55eff01b-f2bd-4c32-9203-db285f709d30\",\n \"policyDefinitionReferenceId\": \"Dine-AzureAI-Local-Key2\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiDisableLocalKey2')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b4d1c4e-934c-4703-944c-27c82c06bebb\",\n \"policyDefinitionReferenceId\": \"Aine-AzureAI-Diag-Settings\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiDiagSettings')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#31": "{\n \"name\": \"Enforce-Guardrails-PostgreSQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for PostgreSQL\",\n \"description\": \"This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"PostgreSQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"postgreSqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3\",\n \"policyDefinitionReferenceId\": \"Dine-PostgreSql-Adv-Threat-Protection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#32": "{\n \"name\": \"Enforce-Guardrails-ServiceBus\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Service Bus\",\n \"description\": \"This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Service Bus\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"serviceBusModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyDisabledLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusAuthzRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Authz-Rules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusAuthzRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebaf4f25-a4e8-415f-86a8-42d9155bef0b\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfb11c26-f069-4c14-8e36-56c394dae5af\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-LocalAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyDisabledLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e\",\n \"policyDefinitionReferenceId\": \"Modify-Sb-LocalAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#33": "{\n \"name\": \"Enforce-Guardrails-SQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for SQL and SQL Managed Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"sqlManagedAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"modifySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Managed-Defender\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Aad-Only\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Aad-Only\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Adv-Data\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b\",\n \"policyDefinitionReferenceId\": \"Modify-Sql-PublicNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifySqlPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#34": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#35": "{\n \"name\": \"Enforce-Guardrails-Synapse\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Synapse workspaces\",\n \"description\": \"This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Synapse\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"synapseLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseManagedVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseDataTraffic\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTenants\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseAllowedTenantIds\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"[[subscription().tenantId]\"\n ]\n },\n \"synapseFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"synapseModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"synapseModifyTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6\",\n \"policyDefinitionReferenceId\": \"Dine-Synapse-Defender\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3624673-d2ff-48e0-b28c-5de1c6767c3c\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56fd377d-098c-4f02-8406-81eb055902b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Fw-Rules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tenant-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTenants')]\"\n },\n \"allowedTenantIds\": {\n \"value\": \"[[parameters('synapseAllowedTenantIds')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Data-Traffic\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDataTraffic')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Managed-Vnet\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseManagedVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b5c654c-fb07-471b-aa8f-15fea733f140\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Tls-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#36": "{\n \"name\": \"Enforce-Guardrails-VirtualDesktop\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Virtual Desktop\",\n \"description\": \"This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Desktop Virtualization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"avdWorkspaceModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ce6ebf1d-0b94-4df9-9257-d8cacc238b4f\",\n \"policyDefinitionReferenceId\": \"Modify-Workspace-PublicNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspaceModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a0913ff-51e7-47b8-97bb-ea17127f7c8d\",\n \"policyDefinitionReferenceId\": \"Modify-Hostpool-PublicNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#37": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"5.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registries with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"PostgreSQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSql Flexible Server\",\n \"description\": \"This policy denies creation of PostgreSQL Flexible DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"postgreSqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSQL servers\",\n \"description\": \"This policy denies creation of PostgreSQL DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MySQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for MySQL Flexible Server\",\n \"description\": \"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MlPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Machine Learning\",\n \"description\": \"This policy denies creation of Azure Machine Learning with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"RedisCachePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Cache for Redis\",\n \"description\": \"This policy denies creation of Azure Cache for Redis with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BotServicePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Bot Service\",\n \"description\": \"This policy denies creation of Bot Service with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AutomationPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Automation accounts\",\n \"description\": \"This policy denies creation of Automation accounts with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AppConfigPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Configuration\",\n \"description\": \"This policy denies creation of App Configuration with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionAppSlotPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service Environment apps\",\n \"description\": \"This policy denies creation of App Service Environment apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service apps\",\n \"description\": \"This policy denies creation of App Service apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ApiManPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for API Management services\",\n \"description\": \"This policy denies creation of API Management services with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n },\n \"ContainerAppsEnvironmentDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Container Apps environment should disable public network access\",\n \"description\": \"This policy denies creation of Container Apps Environment with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsrVaultDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Azure Recovery Services vaults should disable public network access\",\n \"description\": \"This policy denies creation of Azure Recovery Services vaults with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"logicAppPublicNetworkAccessEffect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"appSlotsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"cognitiveSearchPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"managedDiskPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"containerAppsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmDisablePublicNetwork\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapsePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdWorkspacePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"grafanaPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48\",\n \"definitionVersion\": \"3.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-PostgreSql-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MlPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisCachePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BotServiceDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BotServicePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppConfigDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppConfigPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppSlotsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/11c82d0c-db9f-4d7b-97c5-f3f9aa957da2\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppSlotPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AseDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3\",\n \"definitionVersion\": \"3.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApiManDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ApiManPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsEnvironmentDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsEnvironmentDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/783ea2a8-b8fd-46be-896a-9ae79643a0b1\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"AsrVaultDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9ebbbba3-4d65-4da9-bb67-b22cfaaff090\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsrVaultDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppPublicNetworkAccessEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/701a595d-38fb-4a66-ae6d-fb3735217622\",\n \"policyDefinitionReferenceId\": \"Deny-AppSlots-Public\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appSlotsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8405fdab-1faf-48aa-b702-999c9c172094\",\n \"policyDefinitionReferenceId\": \"Deny-ManagedDisk-Public-Network-Access\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('managedDiskPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43bc7be6-5e69-4b0d-a2bb-e815557ca673\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8f774be-6aee-492a-9e29-486ef81f3a68\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1adadefe-5f21-44f7-b931-a59b54ccdb45\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0602787f-9896-402a-a6e1-39ee63ee435e\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/19ea9d63-adee-4431-a95e-1913c6c1c75f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PublicNetwork\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetwork')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Public-Network-Access\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Public-Network-Access\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Network-Access\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cbd11fd3-3002-4907-b6c8-579f0e700e13\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Public-Endpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Public-Access\",\n \"definitionVersion\": \"3.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsPublicAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/38d8df46-cf4e-4073-8e03-48c24b29de0d\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapsePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ac3038-c07a-4b92-860d-29e270a4f3cd\",\n \"policyDefinitionReferenceId\": \"Deny-Workspace-PublicNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspacePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c25dcf31-878f-4eba-98eb-0818fdc6a334\",\n \"policyDefinitionReferenceId\": \"Deny-Hostpool-PublicNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8775d5a-73b7-4977-a39b-833ef0114628\",\n \"policyDefinitionReferenceId\": \"Deny-Grafana-PublicNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('grafanaPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#38": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. This policy set is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"2.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for API Management to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for API Management to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for Firewall to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for Firewall to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Log Analytics to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category Audit enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AVDScalingPlansLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AVDScalingPlansLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#39": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html\",\n \"metadata\": {\n \"version\": \"7.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-MDFC-Config_20240319\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"default\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForApis\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForApis\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForApis')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#30": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Audit\",\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafAfdEnabled\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Allow\",\n \"Deny\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Afd-Enabled\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafAfdEnabled')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#31": "{\n \"name\": \"Enforce-Guardrails-OpenAI\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Open AI (Cognitive Service)\",\n \"description\": \"This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveServicesOutboundNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAcls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesCustomerStorage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"azureAiNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"azureAiPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"azureAiDisableLocalKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"azureAiDisableLocalKey2\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"azureAiDiagSettings\": {\n \"type\": \"string\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-OutboundNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesOutboundNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-NetworkAcls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAcls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Managed-Identity\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Cust-Storage\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesCustomerStorage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\n \"policyDefinitionReferenceId\": \"Deny-AzureAI-Network-Access\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6759c02-b87f-42b7-892e-71b3f471d782\",\n \"policyDefinitionReferenceId\": \"Audit-AzureAI-Private-Link\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d45520cb-31ca-44ba-8da2-fcf914608544\",\n \"policyDefinitionReferenceId\": \"Dine-AzureAI-Local-Key\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiDisableLocalKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55eff01b-f2bd-4c32-9203-db285f709d30\",\n \"policyDefinitionReferenceId\": \"Dine-AzureAI-Local-Key2\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiDisableLocalKey2')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b4d1c4e-934c-4703-944c-27c82c06bebb\",\n \"policyDefinitionReferenceId\": \"Aine-AzureAI-Diag-Settings\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiDiagSettings')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#32": "{\n \"name\": \"Enforce-Guardrails-PostgreSQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for PostgreSQL\",\n \"description\": \"This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"PostgreSQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"postgreSqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3\",\n \"policyDefinitionReferenceId\": \"Dine-PostgreSql-Adv-Threat-Protection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#33": "{\n \"name\": \"Enforce-Guardrails-ServiceBus\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Service Bus\",\n \"description\": \"This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Service Bus\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"serviceBusModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyDisabledLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusAuthzRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Authz-Rules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusAuthzRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebaf4f25-a4e8-415f-86a8-42d9155bef0b\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfb11c26-f069-4c14-8e36-56c394dae5af\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-LocalAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyDisabledLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e\",\n \"policyDefinitionReferenceId\": \"Modify-Sb-LocalAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#34": "{\n \"name\": \"Enforce-Guardrails-SQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for SQL and SQL Managed Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"sqlManagedAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"modifySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Managed-Defender\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Aad-Only\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Aad-Only\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Adv-Data\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b\",\n \"policyDefinitionReferenceId\": \"Modify-Sql-PublicNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifySqlPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#35": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#36": "{\n \"name\": \"Enforce-Guardrails-Synapse\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Synapse workspaces\",\n \"description\": \"This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Synapse\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"synapseLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseManagedVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseDataTraffic\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTenants\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseAllowedTenantIds\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"[[subscription().tenantId]\"\n ]\n },\n \"synapseFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"synapseModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"synapseModifyTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6\",\n \"policyDefinitionReferenceId\": \"Dine-Synapse-Defender\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3624673-d2ff-48e0-b28c-5de1c6767c3c\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56fd377d-098c-4f02-8406-81eb055902b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Fw-Rules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tenant-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTenants')]\"\n },\n \"allowedTenantIds\": {\n \"value\": \"[[parameters('synapseAllowedTenantIds')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Data-Traffic\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDataTraffic')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Managed-Vnet\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseManagedVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b5c654c-fb07-471b-aa8f-15fea733f140\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Tls-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#37": "{\n \"name\": \"Enforce-Guardrails-VirtualDesktop\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Virtual Desktop\",\n \"description\": \"This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Desktop Virtualization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"avdWorkspaceModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ce6ebf1d-0b94-4df9-9257-d8cacc238b4f\",\n \"policyDefinitionReferenceId\": \"Modify-Workspace-PublicNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspaceModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a0913ff-51e7-47b8-97bb-ea17127f7c8d\",\n \"policyDefinitionReferenceId\": \"Modify-Hostpool-PublicNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#38": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"5.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registries with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"PostgreSQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSql Flexible Server\",\n \"description\": \"This policy denies creation of PostgreSQL Flexible DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"postgreSqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSQL servers\",\n \"description\": \"This policy denies creation of PostgreSQL DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MySQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for MySQL Flexible Server\",\n \"description\": \"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MlPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Machine Learning\",\n \"description\": \"This policy denies creation of Azure Machine Learning with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"RedisCachePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Cache for Redis\",\n \"description\": \"This policy denies creation of Azure Cache for Redis with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BotServicePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Bot Service\",\n \"description\": \"This policy denies creation of Bot Service with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AutomationPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Automation accounts\",\n \"description\": \"This policy denies creation of Automation accounts with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AppConfigPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Configuration\",\n \"description\": \"This policy denies creation of App Configuration with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionAppSlotPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service Environment apps\",\n \"description\": \"This policy denies creation of App Service Environment apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service apps\",\n \"description\": \"This policy denies creation of App Service apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ApiManPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for API Management services\",\n \"description\": \"This policy denies creation of API Management services with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n },\n \"ContainerAppsEnvironmentDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Container Apps environment should disable public network access\",\n \"description\": \"This policy denies creation of Container Apps Environment with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsrVaultDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Azure Recovery Services vaults should disable public network access\",\n \"description\": \"This policy denies creation of Azure Recovery Services vaults with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"logicAppPublicNetworkAccessEffect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"appSlotsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"cognitiveSearchPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"managedDiskPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"containerAppsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmDisablePublicNetwork\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapsePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdWorkspacePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"grafanaPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48\",\n \"definitionVersion\": \"3.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-PostgreSql-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MlPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisCachePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BotServiceDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BotServicePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppConfigDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppConfigPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppSlotsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/11c82d0c-db9f-4d7b-97c5-f3f9aa957da2\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppSlotPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AseDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3\",\n \"definitionVersion\": \"3.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApiManDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ApiManPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsEnvironmentDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsEnvironmentDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/783ea2a8-b8fd-46be-896a-9ae79643a0b1\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"AsrVaultDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9ebbbba3-4d65-4da9-bb67-b22cfaaff090\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsrVaultDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppPublicNetworkAccessEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/701a595d-38fb-4a66-ae6d-fb3735217622\",\n \"policyDefinitionReferenceId\": \"Deny-AppSlots-Public\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appSlotsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8405fdab-1faf-48aa-b702-999c9c172094\",\n \"policyDefinitionReferenceId\": \"Deny-ManagedDisk-Public-Network-Access\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('managedDiskPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43bc7be6-5e69-4b0d-a2bb-e815557ca673\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8f774be-6aee-492a-9e29-486ef81f3a68\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1adadefe-5f21-44f7-b931-a59b54ccdb45\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0602787f-9896-402a-a6e1-39ee63ee435e\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/19ea9d63-adee-4431-a95e-1913c6c1c75f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PublicNetwork\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetwork')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Public-Network-Access\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Public-Network-Access\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Network-Access\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cbd11fd3-3002-4907-b6c8-579f0e700e13\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Public-Endpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Public-Access\",\n \"definitionVersion\": \"3.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsPublicAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/38d8df46-cf4e-4073-8e03-48c24b29de0d\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapsePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ac3038-c07a-4b92-860d-29e270a4f3cd\",\n \"policyDefinitionReferenceId\": \"Deny-Workspace-PublicNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspacePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c25dcf31-878f-4eba-98eb-0818fdc6a334\",\n \"policyDefinitionReferenceId\": \"Deny-Hostpool-PublicNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8775d5a-73b7-4977-a39b-833ef0114628\",\n \"policyDefinitionReferenceId\": \"Deny-Grafana-PublicNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('grafanaPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#39": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. This policy set is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"2.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for API Management to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for API Management to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for Firewall to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for Firewall to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Log Analytics to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category Audit enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AVDScalingPlansLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AVDScalingPlansLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#4": "{\n \"name\": \"Enforce-EncryptTransit\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html\",\n \"metadata\": {\n \"version\": \"2.1.0-deprecated\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Enforce-EncryptTransit_20240509\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"StorageHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }", - "$fxv#40": "{\n \"name\": \"Deploy-MDFC-Config_20240319\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"2.2.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-MDFC-Config\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"createResourceGroup\":{\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Create resource group\",\n \"description\": \"If a resource group does not exists in the scope, a new resource group will be created. If the resource group exists and this flag is set to 'true' the policy will re-deploy the resource group. Please note this will reset any Azure Tag on the resource group.\"\n },\n \"defaultValue\": true,\n \"allowedValues\": [\n true,\n false\n ]\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"mdeTvm\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableTvmCheck\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72f8cee7-2937-403d-84a1-a4e3e57f3c21\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"createResourceGroup\": {\n \"value\": \"[[parameters('createResourceGroup')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableTvmCheck')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#41": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"2.4.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"dnsZoneSubscriptionId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Subscription Id\",\n \"description\": \"The subscription id where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified.\"\n }\n },\n \"dnsZoneResourceGroupName\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Resource Group Name\",\n \"description\": \"The resource group where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified.\"\n }\n },\n \"dnsZoneResourceType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Microsoft.Network/privateDnsZones\",\n \"metadata\": {\n \"displayName\": \"Resource Type\",\n \"description\": \"The resource type where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified.\"\n }\n },\n \"dnsZoneRegion\": {\n \"type\": \"string\",\n \"defaultValue\": \"changeme\",\n \"metadata\": {\n \"displayName\": \"Region\",\n \"description\": \"The region where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified.\"\n }\n },\n \"dnzZoneRegionShortNames\": {\n \"type\": \"object\",\n \"defaultValue\": {\n \"changeme\": \"changeme\",\n \"australiacentral\" : \"acl\",\n \"australiacentral2\" : \"acl2\",\n \"australiaeast\" : \"ae\",\n \"australiasoutheast\" : \"ase\",\n \"brazilsoutheast\" : \"bse\",\n \"brazilsouth\" : \"brs\",\n \"canadacentral\" : \"cnc\",\n \"canadaeast\" : \"cne\",\n \"centralindia\" : \"inc\",\n \"centralus\" : \"cus\",\n \"centraluseuap\" : \"ccy\",\n \"chilecentral\" : \"clc\",\n \"eastasia\" : \"ea\",\n \"eastus\" : \"eus\",\n \"eastus2\" : \"eus2\",\n \"eastus2euap\" : \"ecy\",\n \"francecentral\" : \"frc\",\n \"francesouth\" : \"frs\",\n \"germanynorth\" : \"gn\",\n \"germanywestcentral\" : \"gwc\",\n \"israelcentral\" : \"ilc\",\n \"italynorth\" : \"itn\",\n \"japaneast\" : \"jpe\",\n \"japanwest\" : \"jpw\",\n \"koreacentral\" : \"krc\",\n \"koreasouth\" : \"krs\",\n \"malaysiasouth\" : \"mys\",\n \"malaysiawest\" : \"myw\",\n \"mexicocentral\" : \"mxc\",\n \"newzealandnorth\" : \"nzn\",\n \"northcentralus\" : \"ncus\",\n \"northeurope\" : \"ne\",\n \"norwayeast\" : \"nwe\",\n \"norwaywest\" : \"nww\",\n \"polandcentral\" : \"plc\",\n \"qatarcentral\" : \"qac\",\n \"southafricanorth\" : \"san\",\n \"southafricawest\" : \"saw\",\n \"southcentralus\" : \"scus\",\n \"southeastasia\" : \"sea\",\n \"southindia\" : \"ins\",\n \"spaincentral\" : \"spc\",\n \"swedencentral\" : \"sdc\",\n \"swedensouth\" : \"sds\",\n \"switzerlandnorth\" : \"szn\",\n \"switzerlandwest\" : \"szw\",\n \"taiwannorth\" : \"twn\",\n \"uaecentral\" : \"uac\",\n \"uaenorth\" : \"uan\",\n \"uksouth\" : \"uks\",\n \"ukwest\" : \"ukw\",\n \"westcentralus\" : \"wcus\",\n \"westeurope\" : \"we\",\n \"westindia\" : \"inw\",\n \"westus\" : \"wus\",\n \"westus2\" : \"wus2\",\n \"westus3\" : \"wus3\"\n },\n \"metadata\": {\n \"displayName\": \"Region Short Name Mapping\",\n \"description\": \"Mapping of region to private DNS zone resource id. If the region is not specified, the default private DNS zone resource id will be used.\"\n }\n },\n \"dnsZoneNames\": {\n \"type\": \"object\",\n \"defaultValue\": {\n \"azureAcrPrivateDnsZoneId\": \"privatelink.azurecr.io\",\n \"azureAcrDataPrivateDnsZoneId\": \"{regionName}.data.privatelink.azurecr.io\",\n \"azureAppPrivateDnsZoneId\": \"privatelink.azconfig.io\",\n \"azureAppServicesPrivateDnsZoneId\": \"privatelink.azurewebsites.net\",\n \"azureArcGuestconfigurationPrivateDnsZoneId\": \"privatelink.guestconfiguration.azure.com\",\n \"azureArcHybridResourceProviderPrivateDnsZoneId\": \"privatelink.his.arc.azure.com\",\n \"azureArcKubernetesConfigurationPrivateDnsZoneId\": \"privatelink.dp.kubernetesconfiguration.azure.com\",\n \"azureAsrPrivateDnsZoneId\": \"privatelink.siterecovery.windowsazure.com\",\n \"azureAutomationDSCHybridPrivateDnsZoneId\": \"privatelink.azure-automation.net\",\n \"azureAutomationWebhookPrivateDnsZoneId\": \"privatelink.azure-automation.net\",\n \"azureBatchPrivateDnsZoneId\": \"privatelink.batch.azure.com\",\n \"azureBotServicePrivateDnsZoneId\": \"privatelink.directline.botframework.com\",\n \"azureCognitiveSearchPrivateDnsZoneId\": \"privatelink.search.windows.net\",\n \"azureCognitiveServicesPrivateDnsZoneId\": \"privatelink.cognitiveservices.azure.com\",\n \"azureCosmosCassandraPrivateDnsZoneId\": \"privatelink.cassandra.cosmos.azure.com\",\n \"azureCosmosGremlinPrivateDnsZoneId\": \"privatelink.gremlin.cosmos.azure.com\",\n \"azureCosmosMongoPrivateDnsZoneId\": \"privatelink.mongo.cosmos.azure.com\",\n \"azureCosmosSQLPrivateDnsZoneId\": \"privatelink.documents.azure.com\",\n \"azureCosmosTablePrivateDnsZoneId\": \"privatelink.table.cosmos.azure.com\",\n \"azureDataExplorerPrivateDnsZoneId\": \"privatelink.{regionName}.kusto.windows.net\",\n \"azureDataFactoryPortalPrivateDnsZoneId\": \"privatelink.adf.azure.com\",\n \"azureDataFactoryPrivateDnsZoneId\": \"privatelink.datafactory.azure.net\",\n \"azureDatabricksPrivateDnsZoneId\": \"privatelink.azuredatabricks.net\",\n \"azureDiskAccessPrivateDnsZoneId\": \"privatelink.blob.core.windows.net\",\n \"azureEventGridDomainsPrivateDnsZoneId\": \"privatelink.eventgrid.azure.net\",\n \"azureEventGridTopicsPrivateDnsZoneId\": \"privatelink.eventgrid.azure.net\",\n \"azureEventHubNamespacePrivateDnsZoneId\": \"privatelink.servicebus.windows.net\",\n \"azureFilePrivateDnsZoneId\": \"privatelink.afs.azure.net\",\n \"azureHDInsightPrivateDnsZoneId\": \"privatelink.azurehdinsight.net\",\n \"azureIotCentralPrivateDnsZoneId\": \"privatelink.azureiotcentral.com\",\n \"azureIotDeviceupdatePrivateDnsZoneId\": \"privatelink.azure-devices.net\",\n \"azureIotHubsPrivateDnsZoneId\": \"privatelink.azure-devices.net\",\n \"azureIotPrivateDnsZoneId\": \"privatelink.azure-devices-provisioning.net\",\n \"azureKeyVaultPrivateDnsZoneId\": \"privatelink.vaultcore.azure.net\",\n \"azureKubernetesManagementPrivateDnsZoneId\": \"privatelink.{regionName}.azmk8s.io\",\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": \"privatelink.api.azureml.ms\",\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": \"privatelink.notebooks.azure.net\",\n \"azureManagedGrafanaWorkspacePrivateDnsZoneId\": \"privatelink.grafana.azure.com\",\n \"azureMediaServicesKeyPrivateDnsZoneId\": \"privatelink.media.azure.net\",\n \"azureMediaServicesLivePrivateDnsZoneId\": \"privatelink.media.azure.net\",\n \"azureMediaServicesStreamPrivateDnsZoneId\": \"privatelink.media.azure.net\",\n \"azureMigratePrivateDnsZoneId\": \"privatelink.prod.migration.windowsazure.com\",\n \"azureMonitorPrivateDnsZoneId1\": \"privatelink.monitor.azure.com\",\n \"azureMonitorPrivateDnsZoneId2\": \"privatelink.oms.opinsights.azure.com\",\n \"azureMonitorPrivateDnsZoneId3\": \"privatelink.ods.opinsights.azure.com\",\n \"azureMonitorPrivateDnsZoneId4\": \"privatelink.agentsvc.azure-automation.net\",\n \"azureMonitorPrivateDnsZoneId5\": \"privatelink.blob.core.windows.net\",\n \"azureRedisCachePrivateDnsZoneId\": \"privatelink.redis.cache.windows.net\",\n \"azureServiceBusNamespacePrivateDnsZoneId\": \"privatelink.servicebus.windows.net\",\n \"azureSignalRPrivateDnsZoneId\": \"privatelink.service.signalr.net\",\n \"azureSiteRecoveryBackupPrivateDnsZoneId\": \"privatelink.{regionCode}.backup.windowsazure.com\",\n \"azureSiteRecoveryBlobPrivateDnsZoneId\": \"privatelink.blob.core.windows.net\",\n \"azureSiteRecoveryQueuePrivateDnsZoneId\": \"privatelink.queue.core.windows.net\",\n \"azureStorageBlobPrivateDnsZoneId\": \"privatelink.blob.core.windows.net\",\n \"azureStorageBlobSecPrivateDnsZoneId\": \"privatelink.blob.core.windows.net\",\n \"azureStorageDFSPrivateDnsZoneId\": \"privatelink.dfs.core.windows.net\",\n \"azureStorageDFSSecPrivateDnsZoneId\": \"privatelink.dfs.core.windows.net\",\n \"azureStorageFilePrivateDnsZoneId\": \"privatelink.file.core.windows.net\",\n \"azureStorageQueuePrivateDnsZoneId\": \"privatelink.queue.core.windows.net\",\n \"azureStorageQueueSecPrivateDnsZoneId\": \"privatelink.queue.core.windows.net\",\n \"azureStorageStaticWebPrivateDnsZoneId\": \"privatelink.web.core.windows.net\",\n \"azureStorageStaticWebSecPrivateDnsZoneId\": \"privatelink.web.core.windows.net\",\n \"azureStorageTablePrivateDnsZoneId\": \"privatelink.table.core.windows.net\",\n \"azureStorageTableSecondaryPrivateDnsZoneId\": \"privatelink.table.core.windows.net\",\n \"azureSynapseDevPrivateDnsZoneId\": \"privatelink.dev.azuresynapse.net\",\n \"azureSynapseSQLPrivateDnsZoneId\": \"privatelink.sql.azuresynapse.net\",\n \"azureSynapseSQLODPrivateDnsZoneId\": \"privatelink.sql.azuresynapse.net\",\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": \"privatelink.wvd.microsoft.com\",\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": \"privatelink.wvd.microsoft.com\",\n \"azureWebPrivateDnsZoneId\": \"privatelink.webpubsub.azure.com\"\n },\n \"metadata\": {\n \"displayName\": \"DNS Zone Names\",\n \"description\": \"The list of private DNS zone names to be used for the Azure PaaS services.\"\n }\n },\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDatabricksPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDatabricksPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureHDInsightPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMigratePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMigratePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueueSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueueSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesKeyPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesKeyPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesLivePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesLivePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesStreamPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesStreamPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBotServicePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBotServicePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureManagedGrafanaWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureManagedGrafanaWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotDeviceupdatePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotDeviceupdatePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcGuestconfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcGuestconfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcHybridResourceProviderPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcHybridResourceProviderPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcKubernetesConfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcKubernetesConfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotCentralPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotCentralPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureFilePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureFilePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAutomationWebhookPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAutomationWebhookPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAutomationDSCHybridPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAutomationDSCHybridPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosSQLPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosSQLPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosMongoPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosMongoPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosCassandraPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosCassandraPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosGremlinPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosGremlinPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosTablePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosTablePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDataFactoryPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDataFactoryPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDataFactoryPortalPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDataFactoryPortalPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-UI-Api\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDatabricksPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDatabricksPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"databricks_ui_api\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-Browser-AuthN\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDatabricksPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDatabricksPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"browser_authentication\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureHDInsightPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureHDInsightPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Migrate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMigratePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMigratePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageBlobPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageBlobPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageBlobSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageBlobSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageQueuePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageQueuePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageQueueSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageQueueSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageFilePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageFilePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageStaticWebPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageStaticWebPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageStaticWebSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageStaticWebSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageDFSPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageDFSPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageDFSSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageDFSSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseSQLPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseSQLPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseSQLODPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseSQLODPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseDevPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseDevPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Key\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesKeyPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesKeyPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"keydelivery\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Live\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesLivePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesLivePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"liveevent\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Stream\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesStreamPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesStreamPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"streamingendpoint\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId1'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId1, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId2'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId2, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId3'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId3, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId4'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId4, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId5'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId5, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureWebPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureWebPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureBatchPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureBatchPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAppPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAppPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAsrPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAsrPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureKeyVaultPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureKeyVaultPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSignalRPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSignalRPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAppServicesPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAppServicesPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventGridTopicsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventGridTopicsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDiskAccessPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDiskAccessPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCognitiveServicesPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCognitiveServicesPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotHubsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotHubsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventGridDomainsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventGridDomainsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureRedisCachePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureRedisCachePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAcrPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAcrPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventHubNamespacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventHubNamespacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMachineLearningWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMachineLearningWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMachineLearningWorkspaceSecondPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureServiceBusNamespacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureServiceBusNamespacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCognitiveSearchPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCognitiveSearchPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-BotService\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6a4e6f44-f2af-4082-9702-033c9e88b9f8\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureBotServicePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureBotServicePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ManagedGrafanaWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4c8537f8-cd1b-49ec-b704-18e82a42fd58\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureManagedGrafanaWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureManagedGrafanaWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureVirtualDesktopHostpoolPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureVirtualDesktopWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTDeviceupdate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotDeviceupdatePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotDeviceupdatePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Arc\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\":{\n \"privateDnsZoneIDForGuestConfiguration\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureArcGuestconfigurationPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureArcGuestconfigurationPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneIDForHybridResourceProvider\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureArcHybridResourceProviderPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureArcHybridResourceProviderPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneIDForKubernetesConfiguration\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureArcKubernetesConfigurationPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureArcKubernetesConfigurationPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTCentral\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d627d7c6-ded5-481a-8f2e-7e16b1e6faf6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotCentralPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotCentralPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageTablePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageTablePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageTableSecondaryPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageTableSecondaryPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSiteRecoveryBackupPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSiteRecoveryBackupPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSiteRecoveryBlobPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSiteRecoveryBlobPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSiteRecoveryQueuePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSiteRecoveryQueuePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#42": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"3.2.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"HealthcareAPIsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\",\n \"description\": \"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n },\n \"AutomationAccountCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"BackupCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"osAndDataDiskCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerInstanceCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"eventHubPremiumCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlManagedCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageTableCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsEncryptionCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageQueueCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"botServiceCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"audit\",\n \"Deny\",\n \"deny\",\n \"Disabled\",\n \"disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HealthcareAPIsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('HealthcareAPIsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationAccountCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671\",\n \"policyDefinitionReferenceId\": \"Deny-Backup-Cmk\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BackupCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0\",\n \"policyDefinitionReferenceId\": \"Deny-OsAndDataDisk-Cmk\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('osAndDataDiskCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Premium-CMK\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubPremiumCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Cmk\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Table-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageTableCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Encryption-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsEncryptionCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Queue-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageQueueCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/51522a96-0869-4791-82f3-981000c2c67f\",\n \"policyDefinitionReferenceId\": \"Deny-BotService-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServiceCmk')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#43": "{\n \"name\": \"Enforce-ACSB\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce Azure Compute Security Benchmark compliance auditing\",\n \"description\": \"Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Guest Configuration\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"includeArcMachines\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"metadata\": {\n \"displayName\": \"Include Arc connected servers\",\n \"description\": \"By selecting this option, you agree to be charged monthly per Arc connected machine.\"\n },\n \"defaultValue\": \"true\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"GcIdentity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da\",\n \"definitionVersion\": \"3.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#44": "{\n \"name\": \"Deploy-MDFC-DefenderSQL-AMA\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Configure SQL VM and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LAW\",\n \"description\": \"Initiative is deprecated as the built-in initiative now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/de01d381-bae9-4670-8870-786f89f49e26.html\",\n \"metadata\": {\n \"version\": \"1.0.1-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"de01d381-bae9-4670-8870-786f89f49e26\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace Resource Id\",\n \"description\": \"Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable collection of SQL queries for security research\",\n \"description\": \"Enable or disable the collection of SQL queries for security research.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"identityResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Identity Resource Group\",\n \"description\": \"The name of the resource group created by the policy.\"\n },\n \"defaultValue\": \"\"\n },\n \"userAssignedIdentityName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User Assigned Managed Identity Name\",\n \"description\": \"The name of the user assigned managed identity.\"\n },\n \"defaultValue\": \"\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3592ff98-9787-443a-af59-4505d0fe0786\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65503269-6a54-4553-8a28-0065a8e6d929\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-Sql-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcDcrAssociation\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"identityResourceGroup\": {\n \"value\": \"[[parameters('identityResourceGroup')]\"\n },\n \"userAssignedIdentityName\": {\n \"value\": \"[[parameters('userAssignedIdentityName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Disabled\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#45": "{\n \"name\": \"Enforce-Backup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce enhanced recovery and backup policies\",\n \"description\": \"Enforce enhanced recovery and backup policies on assigned scopes.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Backup\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"checkLockedImmutabilityOnly\",\n \"description\": \"This parameter checks if Immutability is locked for Backup Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"CheckAlwaysOnSoftDeleteOnly\",\n \"description\": \"This parameter checks if Soft Delete is 'Locked' for Backup Vaults in scope. Selecting 'true' will mark only vaults with Soft Delete 'AlwaysOn' as compliant. Selecting 'false' will mark vaults that have Soft Delete either 'On' or 'AlwaysOn' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2514263b-bc0d-4b06-ac3e-f262c0979018\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabiltyOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6f6f560-14b7-49a4-9fc8-d2c3a9807868\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9798d31d-6028-4dee-8643-46102185c016\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/31b8092a-36b8-434b-9af7-5ec844364148\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c58e083e-7982-4e24-afdc-be14d312389e\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c7031eab-0fc0-4cd9-acd0-4497bd66d91a\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#46": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#47": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#48": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#49": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-File-Sync\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-Web\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-KeyVault\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#5": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.3\",\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageMinimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"definitionVersion\": \"8.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"definitionVersion\": \"4.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"definitionVersion\": \"5.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#50": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#51": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#52": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#53": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccounts\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#54": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#55": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#6": "{\n \"name\": \"Enforce-ALZ-Decomm\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Decommissioned Landing Zone\",\n \"description\": \"Enforce policies in the Decommissioned Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Decommissioned\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [ \n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesAllowed\":{\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Allowed resource types in the Decommissioned landing zone\",\n \"description\": \"Allowed resource types in the Decommissioned landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DecomDenyResources\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"listOfResourceTypesAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DecomShutdownMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }\n ", - "$fxv#7": "{\n \"name\": \"Enforce-ALZ-Sandbox\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Sandbox Landing Zone\",\n \"description\": \"Enforce policies in the Sandbox Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Sandbox\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesNotAllowed\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Not allowed resource types in the Sandbox landing zone\",\n \"description\": \"Not allowed resource types in the Sandbox landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n },\n \"effectNotAllowedResources\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectDenyVnetPeering\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SandboxNotAllowed\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectNotAllowedResources')]\"\n },\n \"listOfResourceTypesNotAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesNotAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SandboxDenyVnetPeering\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDenyVnetPeering')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#8": "{\n \"name\": \"DenyAction-DeleteProtection\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"DenyAction Delete - Activity Log Settings and Diagnostic Settings\",\n \"description\": \"Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-DiagnosticSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-ActivityLogSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#9": "{\n \"name\": \"Deploy-AUM-CheckUpdates\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines\",\n \"description\": \"Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"assessmentMode\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Assessment mode\",\n \"description\": \"Assessment mode for the machines.\"\n },\n \"allowedValues\": [\n \"ImageDefault\",\n \"AutomaticByPlatform\"\n ],\n \"defaultValue\": \"AutomaticByPlatform\"\n },\n \"locations\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Machines locations\",\n \"description\": \"The list of locations from which machines need to be targeted.\",\n \"strongType\": \"location\"\n },\n \"defaultValue\": []\n },\n \"tagValues\": {\n \"type\": \"Object\",\n \"metadata\": {\n \"displayName\": \"Tags on machines\",\n \"description\": \"The list of tags that need to matched for getting target machines.\"\n },\n \"defaultValue\": {}\n },\n \"tagOperator\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Tag operator\",\n \"description\": \"Matching condition for resource tags\"\n },\n \"allowedValues\": [\n \"All\",\n \"Any\"\n ],\n \"defaultValue\": \"Any\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#40": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html\",\n \"metadata\": {\n \"version\": \"7.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-MDFC-Config_20240319\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"default\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForApis\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForApis\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForApis')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#41": "{\n \"name\": \"Deploy-MDFC-Config_20240319\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"2.2.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-MDFC-Config\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"createResourceGroup\":{\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Create resource group\",\n \"description\": \"If a resource group does not exists in the scope, a new resource group will be created. If the resource group exists and this flag is set to 'true' the policy will re-deploy the resource group. Please note this will reset any Azure Tag on the resource group.\"\n },\n \"defaultValue\": true,\n \"allowedValues\": [\n true,\n false\n ]\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"mdeTvm\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableTvmCheck\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72f8cee7-2937-403d-84a1-a4e3e57f3c21\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"createResourceGroup\": {\n \"value\": \"[[parameters('createResourceGroup')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableTvmCheck')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#42": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"2.4.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"dnsZoneSubscriptionId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Subscription Id\",\n \"description\": \"The subscription id where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified.\"\n }\n },\n \"dnsZoneResourceGroupName\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Resource Group Name\",\n \"description\": \"The resource group where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified.\"\n }\n },\n \"dnsZoneResourceType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Microsoft.Network/privateDnsZones\",\n \"metadata\": {\n \"displayName\": \"Resource Type\",\n \"description\": \"The resource type where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified.\"\n }\n },\n \"dnsZoneRegion\": {\n \"type\": \"string\",\n \"defaultValue\": \"changeme\",\n \"metadata\": {\n \"displayName\": \"Region\",\n \"description\": \"The region where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified.\"\n }\n },\n \"dnzZoneRegionShortNames\": {\n \"type\": \"object\",\n \"defaultValue\": {\n \"changeme\": \"changeme\",\n \"australiacentral\" : \"acl\",\n \"australiacentral2\" : \"acl2\",\n \"australiaeast\" : \"ae\",\n \"australiasoutheast\" : \"ase\",\n \"brazilsoutheast\" : \"bse\",\n \"brazilsouth\" : \"brs\",\n \"canadacentral\" : \"cnc\",\n \"canadaeast\" : \"cne\",\n \"centralindia\" : \"inc\",\n \"centralus\" : \"cus\",\n \"centraluseuap\" : \"ccy\",\n \"chilecentral\" : \"clc\",\n \"eastasia\" : \"ea\",\n \"eastus\" : \"eus\",\n \"eastus2\" : \"eus2\",\n \"eastus2euap\" : \"ecy\",\n \"francecentral\" : \"frc\",\n \"francesouth\" : \"frs\",\n \"germanynorth\" : \"gn\",\n \"germanywestcentral\" : \"gwc\",\n \"israelcentral\" : \"ilc\",\n \"italynorth\" : \"itn\",\n \"japaneast\" : \"jpe\",\n \"japanwest\" : \"jpw\",\n \"koreacentral\" : \"krc\",\n \"koreasouth\" : \"krs\",\n \"malaysiasouth\" : \"mys\",\n \"malaysiawest\" : \"myw\",\n \"mexicocentral\" : \"mxc\",\n \"newzealandnorth\" : \"nzn\",\n \"northcentralus\" : \"ncus\",\n \"northeurope\" : \"ne\",\n \"norwayeast\" : \"nwe\",\n \"norwaywest\" : \"nww\",\n \"polandcentral\" : \"plc\",\n \"qatarcentral\" : \"qac\",\n \"southafricanorth\" : \"san\",\n \"southafricawest\" : \"saw\",\n \"southcentralus\" : \"scus\",\n \"southeastasia\" : \"sea\",\n \"southindia\" : \"ins\",\n \"spaincentral\" : \"spc\",\n \"swedencentral\" : \"sdc\",\n \"swedensouth\" : \"sds\",\n \"switzerlandnorth\" : \"szn\",\n \"switzerlandwest\" : \"szw\",\n \"taiwannorth\" : \"twn\",\n \"uaecentral\" : \"uac\",\n \"uaenorth\" : \"uan\",\n \"uksouth\" : \"uks\",\n \"ukwest\" : \"ukw\",\n \"westcentralus\" : \"wcus\",\n \"westeurope\" : \"we\",\n \"westindia\" : \"inw\",\n \"westus\" : \"wus\",\n \"westus2\" : \"wus2\",\n \"westus3\" : \"wus3\"\n },\n \"metadata\": {\n \"displayName\": \"Region Short Name Mapping\",\n \"description\": \"Mapping of region to private DNS zone resource id. If the region is not specified, the default private DNS zone resource id will be used.\"\n }\n },\n \"dnsZoneNames\": {\n \"type\": \"object\",\n \"defaultValue\": {\n \"azureAcrPrivateDnsZoneId\": \"privatelink.azurecr.io\",\n \"azureAcrDataPrivateDnsZoneId\": \"{regionName}.data.privatelink.azurecr.io\",\n \"azureAppPrivateDnsZoneId\": \"privatelink.azconfig.io\",\n \"azureAppServicesPrivateDnsZoneId\": \"privatelink.azurewebsites.net\",\n \"azureArcGuestconfigurationPrivateDnsZoneId\": \"privatelink.guestconfiguration.azure.com\",\n \"azureArcHybridResourceProviderPrivateDnsZoneId\": \"privatelink.his.arc.azure.com\",\n \"azureArcKubernetesConfigurationPrivateDnsZoneId\": \"privatelink.dp.kubernetesconfiguration.azure.com\",\n \"azureAsrPrivateDnsZoneId\": \"privatelink.siterecovery.windowsazure.com\",\n \"azureAutomationDSCHybridPrivateDnsZoneId\": \"privatelink.azure-automation.net\",\n \"azureAutomationWebhookPrivateDnsZoneId\": \"privatelink.azure-automation.net\",\n \"azureBatchPrivateDnsZoneId\": \"privatelink.batch.azure.com\",\n \"azureBotServicePrivateDnsZoneId\": \"privatelink.directline.botframework.com\",\n \"azureCognitiveSearchPrivateDnsZoneId\": \"privatelink.search.windows.net\",\n \"azureCognitiveServicesPrivateDnsZoneId\": \"privatelink.cognitiveservices.azure.com\",\n \"azureCosmosCassandraPrivateDnsZoneId\": \"privatelink.cassandra.cosmos.azure.com\",\n \"azureCosmosGremlinPrivateDnsZoneId\": \"privatelink.gremlin.cosmos.azure.com\",\n \"azureCosmosMongoPrivateDnsZoneId\": \"privatelink.mongo.cosmos.azure.com\",\n \"azureCosmosSQLPrivateDnsZoneId\": \"privatelink.documents.azure.com\",\n \"azureCosmosTablePrivateDnsZoneId\": \"privatelink.table.cosmos.azure.com\",\n \"azureDataExplorerPrivateDnsZoneId\": \"privatelink.{regionName}.kusto.windows.net\",\n \"azureDataFactoryPortalPrivateDnsZoneId\": \"privatelink.adf.azure.com\",\n \"azureDataFactoryPrivateDnsZoneId\": \"privatelink.datafactory.azure.net\",\n \"azureDatabricksPrivateDnsZoneId\": \"privatelink.azuredatabricks.net\",\n \"azureDiskAccessPrivateDnsZoneId\": \"privatelink.blob.core.windows.net\",\n \"azureEventGridDomainsPrivateDnsZoneId\": \"privatelink.eventgrid.azure.net\",\n \"azureEventGridTopicsPrivateDnsZoneId\": \"privatelink.eventgrid.azure.net\",\n \"azureEventHubNamespacePrivateDnsZoneId\": \"privatelink.servicebus.windows.net\",\n \"azureFilePrivateDnsZoneId\": \"privatelink.afs.azure.net\",\n \"azureHDInsightPrivateDnsZoneId\": \"privatelink.azurehdinsight.net\",\n \"azureIotCentralPrivateDnsZoneId\": \"privatelink.azureiotcentral.com\",\n \"azureIotDeviceupdatePrivateDnsZoneId\": \"privatelink.azure-devices.net\",\n \"azureIotHubsPrivateDnsZoneId\": \"privatelink.azure-devices.net\",\n \"azureIotPrivateDnsZoneId\": \"privatelink.azure-devices-provisioning.net\",\n \"azureKeyVaultPrivateDnsZoneId\": \"privatelink.vaultcore.azure.net\",\n \"azureKubernetesManagementPrivateDnsZoneId\": \"privatelink.{regionName}.azmk8s.io\",\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": \"privatelink.api.azureml.ms\",\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": \"privatelink.notebooks.azure.net\",\n \"azureManagedGrafanaWorkspacePrivateDnsZoneId\": \"privatelink.grafana.azure.com\",\n \"azureMediaServicesKeyPrivateDnsZoneId\": \"privatelink.media.azure.net\",\n \"azureMediaServicesLivePrivateDnsZoneId\": \"privatelink.media.azure.net\",\n \"azureMediaServicesStreamPrivateDnsZoneId\": \"privatelink.media.azure.net\",\n \"azureMigratePrivateDnsZoneId\": \"privatelink.prod.migration.windowsazure.com\",\n \"azureMonitorPrivateDnsZoneId1\": \"privatelink.monitor.azure.com\",\n \"azureMonitorPrivateDnsZoneId2\": \"privatelink.oms.opinsights.azure.com\",\n \"azureMonitorPrivateDnsZoneId3\": \"privatelink.ods.opinsights.azure.com\",\n \"azureMonitorPrivateDnsZoneId4\": \"privatelink.agentsvc.azure-automation.net\",\n \"azureMonitorPrivateDnsZoneId5\": \"privatelink.blob.core.windows.net\",\n \"azureRedisCachePrivateDnsZoneId\": \"privatelink.redis.cache.windows.net\",\n \"azureServiceBusNamespacePrivateDnsZoneId\": \"privatelink.servicebus.windows.net\",\n \"azureSignalRPrivateDnsZoneId\": \"privatelink.service.signalr.net\",\n \"azureSiteRecoveryBackupPrivateDnsZoneId\": \"privatelink.{regionCode}.backup.windowsazure.com\",\n \"azureSiteRecoveryBlobPrivateDnsZoneId\": \"privatelink.blob.core.windows.net\",\n \"azureSiteRecoveryQueuePrivateDnsZoneId\": \"privatelink.queue.core.windows.net\",\n \"azureStorageBlobPrivateDnsZoneId\": \"privatelink.blob.core.windows.net\",\n \"azureStorageBlobSecPrivateDnsZoneId\": \"privatelink.blob.core.windows.net\",\n \"azureStorageDFSPrivateDnsZoneId\": \"privatelink.dfs.core.windows.net\",\n \"azureStorageDFSSecPrivateDnsZoneId\": \"privatelink.dfs.core.windows.net\",\n \"azureStorageFilePrivateDnsZoneId\": \"privatelink.file.core.windows.net\",\n \"azureStorageQueuePrivateDnsZoneId\": \"privatelink.queue.core.windows.net\",\n \"azureStorageQueueSecPrivateDnsZoneId\": \"privatelink.queue.core.windows.net\",\n \"azureStorageStaticWebPrivateDnsZoneId\": \"privatelink.web.core.windows.net\",\n \"azureStorageStaticWebSecPrivateDnsZoneId\": \"privatelink.web.core.windows.net\",\n \"azureStorageTablePrivateDnsZoneId\": \"privatelink.table.core.windows.net\",\n \"azureStorageTableSecondaryPrivateDnsZoneId\": \"privatelink.table.core.windows.net\",\n \"azureSynapseDevPrivateDnsZoneId\": \"privatelink.dev.azuresynapse.net\",\n \"azureSynapseSQLPrivateDnsZoneId\": \"privatelink.sql.azuresynapse.net\",\n \"azureSynapseSQLODPrivateDnsZoneId\": \"privatelink.sql.azuresynapse.net\",\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": \"privatelink.wvd.microsoft.com\",\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": \"privatelink.wvd.microsoft.com\",\n \"azureWebPrivateDnsZoneId\": \"privatelink.webpubsub.azure.com\"\n },\n \"metadata\": {\n \"displayName\": \"DNS Zone Names\",\n \"description\": \"The list of private DNS zone names to be used for the Azure PaaS services.\"\n }\n },\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDatabricksPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDatabricksPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureHDInsightPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMigratePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMigratePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueueSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueueSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesKeyPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesKeyPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesLivePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesLivePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesStreamPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesStreamPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBotServicePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBotServicePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureManagedGrafanaWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureManagedGrafanaWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotDeviceupdatePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotDeviceupdatePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcGuestconfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcGuestconfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcHybridResourceProviderPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcHybridResourceProviderPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcKubernetesConfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcKubernetesConfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotCentralPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotCentralPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureFilePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureFilePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAutomationWebhookPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAutomationWebhookPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAutomationDSCHybridPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAutomationDSCHybridPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosSQLPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosSQLPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosMongoPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosMongoPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosCassandraPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosCassandraPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosGremlinPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosGremlinPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosTablePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosTablePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDataFactoryPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDataFactoryPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDataFactoryPortalPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDataFactoryPortalPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-UI-Api\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDatabricksPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDatabricksPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"databricks_ui_api\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-Browser-AuthN\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDatabricksPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDatabricksPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"browser_authentication\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureHDInsightPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureHDInsightPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Migrate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMigratePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMigratePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageBlobPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageBlobPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageBlobSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageBlobSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageQueuePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageQueuePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageQueueSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageQueueSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageFilePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageFilePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageStaticWebPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageStaticWebPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageStaticWebSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageStaticWebSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageDFSPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageDFSPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageDFSSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageDFSSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseSQLPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseSQLPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseSQLODPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseSQLODPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseDevPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseDevPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Key\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesKeyPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesKeyPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"keydelivery\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Live\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesLivePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesLivePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"liveevent\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Stream\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesStreamPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesStreamPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"streamingendpoint\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId1'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId1, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId2'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId2, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId3'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId3, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId4'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId4, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId5'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId5, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureWebPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureWebPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureBatchPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureBatchPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAppPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAppPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAsrPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAsrPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureKeyVaultPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureKeyVaultPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSignalRPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSignalRPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAppServicesPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAppServicesPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventGridTopicsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventGridTopicsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDiskAccessPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDiskAccessPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCognitiveServicesPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCognitiveServicesPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotHubsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotHubsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventGridDomainsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventGridDomainsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureRedisCachePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureRedisCachePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAcrPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAcrPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventHubNamespacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventHubNamespacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMachineLearningWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMachineLearningWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMachineLearningWorkspaceSecondPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureServiceBusNamespacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureServiceBusNamespacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCognitiveSearchPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCognitiveSearchPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-BotService\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6a4e6f44-f2af-4082-9702-033c9e88b9f8\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureBotServicePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureBotServicePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ManagedGrafanaWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4c8537f8-cd1b-49ec-b704-18e82a42fd58\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureManagedGrafanaWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureManagedGrafanaWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureVirtualDesktopHostpoolPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureVirtualDesktopWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTDeviceupdate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotDeviceupdatePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotDeviceupdatePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Arc\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\":{\n \"privateDnsZoneIDForGuestConfiguration\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureArcGuestconfigurationPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureArcGuestconfigurationPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneIDForHybridResourceProvider\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureArcHybridResourceProviderPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureArcHybridResourceProviderPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneIDForKubernetesConfiguration\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureArcKubernetesConfigurationPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureArcKubernetesConfigurationPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTCentral\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d627d7c6-ded5-481a-8f2e-7e16b1e6faf6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotCentralPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotCentralPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageTablePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageTablePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageTableSecondaryPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageTableSecondaryPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSiteRecoveryBackupPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSiteRecoveryBackupPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSiteRecoveryBlobPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSiteRecoveryBlobPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSiteRecoveryQueuePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSiteRecoveryQueuePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#43": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"3.2.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"HealthcareAPIsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\",\n \"description\": \"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n },\n \"AutomationAccountCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"BackupCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"osAndDataDiskCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerInstanceCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"eventHubPremiumCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlManagedCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageTableCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsEncryptionCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageQueueCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"botServiceCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"audit\",\n \"Deny\",\n \"deny\",\n \"Disabled\",\n \"disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HealthcareAPIsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('HealthcareAPIsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationAccountCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671\",\n \"policyDefinitionReferenceId\": \"Deny-Backup-Cmk\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BackupCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0\",\n \"policyDefinitionReferenceId\": \"Deny-OsAndDataDisk-Cmk\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('osAndDataDiskCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Premium-CMK\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubPremiumCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Cmk\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Table-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageTableCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Encryption-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsEncryptionCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Queue-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageQueueCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/51522a96-0869-4791-82f3-981000c2c67f\",\n \"policyDefinitionReferenceId\": \"Deny-BotService-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServiceCmk')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#44": "{\n \"name\": \"Enforce-ACSB\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce Azure Compute Security Benchmark compliance auditing\",\n \"description\": \"Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Guest Configuration\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"includeArcMachines\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"metadata\": {\n \"displayName\": \"Include Arc connected servers\",\n \"description\": \"By selecting this option, you agree to be charged monthly per Arc connected machine.\"\n },\n \"defaultValue\": \"true\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"GcIdentity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da\",\n \"definitionVersion\": \"3.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#45": "{\n \"name\": \"Deploy-MDFC-DefenderSQL-AMA\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Configure SQL VM and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LAW\",\n \"description\": \"Initiative is deprecated as the built-in initiative now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/de01d381-bae9-4670-8870-786f89f49e26.html\",\n \"metadata\": {\n \"version\": \"1.0.1-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"de01d381-bae9-4670-8870-786f89f49e26\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace Resource Id\",\n \"description\": \"Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable collection of SQL queries for security research\",\n \"description\": \"Enable or disable the collection of SQL queries for security research.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"identityResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Identity Resource Group\",\n \"description\": \"The name of the resource group created by the policy.\"\n },\n \"defaultValue\": \"\"\n },\n \"userAssignedIdentityName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User Assigned Managed Identity Name\",\n \"description\": \"The name of the user assigned managed identity.\"\n },\n \"defaultValue\": \"\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3592ff98-9787-443a-af59-4505d0fe0786\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65503269-6a54-4553-8a28-0065a8e6d929\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-Sql-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcDcrAssociation\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"identityResourceGroup\": {\n \"value\": \"[[parameters('identityResourceGroup')]\"\n },\n \"userAssignedIdentityName\": {\n \"value\": \"[[parameters('userAssignedIdentityName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Disabled\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#46": "{\n \"name\": \"Enforce-Backup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce enhanced recovery and backup policies\",\n \"description\": \"Enforce enhanced recovery and backup policies on assigned scopes.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Backup\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"checkLockedImmutabilityOnly\",\n \"description\": \"This parameter checks if Immutability is locked for Backup Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"CheckAlwaysOnSoftDeleteOnly\",\n \"description\": \"This parameter checks if Soft Delete is 'Locked' for Backup Vaults in scope. Selecting 'true' will mark only vaults with Soft Delete 'AlwaysOn' as compliant. Selecting 'false' will mark vaults that have Soft Delete either 'On' or 'AlwaysOn' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2514263b-bc0d-4b06-ac3e-f262c0979018\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabiltyOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6f6f560-14b7-49a4-9fc8-d2c3a9807868\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9798d31d-6028-4dee-8643-46102185c016\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/31b8092a-36b8-434b-9af7-5ec844364148\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c58e083e-7982-4e24-afdc-be14d312389e\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c7031eab-0fc0-4cd9-acd0-4497bd66d91a\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#47": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#48": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#49": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#5": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20241211.html \",\n \"metadata\": {\n \"version\": \"1.2.0-deprecated\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\", \n \"deprecated\": true,\n \"supersededBy\": \"Enforce-EncryptTransit_20241211\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.3\",\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageMinimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"definitionVersion\": \"8.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"definitionVersion\": \"4.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"definitionVersion\": \"5.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#50": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-File-Sync\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-Web\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-KeyVault\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#51": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#52": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#53": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#54": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccounts\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#55": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#56": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#6": "{\n \"name\": \"Enforce-EncryptTransit_20241211\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit_20240509\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.3\",\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageMinimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"definitionVersion\": \"8.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"definitionVersion\": \"4.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"definitionVersion\": \"5.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#7": "{\n \"name\": \"Enforce-ALZ-Decomm\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Decommissioned Landing Zone\",\n \"description\": \"Enforce policies in the Decommissioned Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Decommissioned\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [ \n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesAllowed\":{\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Allowed resource types in the Decommissioned landing zone\",\n \"description\": \"Allowed resource types in the Decommissioned landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DecomDenyResources\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"listOfResourceTypesAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DecomShutdownMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }\n ", + "$fxv#8": "{\n \"name\": \"Enforce-ALZ-Sandbox\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Sandbox Landing Zone\",\n \"description\": \"Enforce policies in the Sandbox Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Sandbox\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesNotAllowed\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Not allowed resource types in the Sandbox landing zone\",\n \"description\": \"Not allowed resource types in the Sandbox landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n },\n \"effectNotAllowedResources\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectDenyVnetPeering\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SandboxNotAllowed\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectNotAllowedResources')]\"\n },\n \"listOfResourceTypesNotAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesNotAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SandboxDenyVnetPeering\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDenyVnetPeering')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#9": "{\n \"name\": \"DenyAction-DeleteProtection\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"DenyAction Delete - Activity Log Settings and Diagnostic Settings\",\n \"description\": \"Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-DiagnosticSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-ActivityLogSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "cloudEnv": "[environment().name]", "defaultDeploymentLocationByCloudType": { "AzureCloud": "northeurope", @@ -181,10 +182,10 @@ "[variables('$fxv#33')]", "[variables('$fxv#34')]", "[variables('$fxv#35')]", - "[variables('$fxv#36')]" + "[variables('$fxv#36')]", + "[variables('$fxv#37')]" ], "AzureCloud": [ - "[variables('$fxv#37')]", "[variables('$fxv#38')]", "[variables('$fxv#39')]", "[variables('$fxv#40')]", @@ -192,21 +193,22 @@ "[variables('$fxv#42')]", "[variables('$fxv#43')]", "[variables('$fxv#44')]", - "[variables('$fxv#45')]" + "[variables('$fxv#45')]", + "[variables('$fxv#46')]" ], "AzureChinaCloud": [ - "[variables('$fxv#46')]", "[variables('$fxv#47')]", "[variables('$fxv#48')]", "[variables('$fxv#49')]", - "[variables('$fxv#50')]" + "[variables('$fxv#50')]", + "[variables('$fxv#51')]" ], "AzureUSGovernment": [ - "[variables('$fxv#51')]", "[variables('$fxv#52')]", "[variables('$fxv#53')]", "[variables('$fxv#54')]", - "[variables('$fxv#55')]" + "[variables('$fxv#55')]", + "[variables('$fxv#56')]" ] }, "policySetDefinitionsByCloudType": { diff --git a/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json b/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json index 6c8ce646a2..888d40839c 100644 --- a/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json +++ b/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "12429908550017328445" + "version": "0.31.34.60546", + "templateHash": "2651717388759682217" } }, "variables": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json index e9a9a8af65..72d558b49b 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json @@ -5,13 +5,15 @@ "scope": null, "properties": { "policyType": "Custom", - "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", - "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. ", + "displayName": "[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20241211.html ", "metadata": { - "version": "1.2.0", + "version": "1.2.0-deprecated", "category": "Encryption", "source": "https://github.com/Azure/Enterprise-Scale/", - "replacesPolicy": "Enforce-EncryptTransit", + "replacesPolicy": "Enforce-EncryptTransit", + "deprecated": true, + "supersededBy": "Enforce-EncryptTransit_20241211", "alzCloudEnvironments": [ "AzureCloud", "AzureChinaCloud", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20241211.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20241211.json new file mode 100644 index 0000000000..55e1b8c2b8 --- /dev/null +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20241211.json @@ -0,0 +1,956 @@ +{ + "name": "Enforce-EncryptTransit_20241211", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", + "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit.", + "metadata": { + "version": "1.2.0", + "category": "Encryption", + "source": "https://github.com/Azure/Enterprise-Scale/", + "replacesPolicy": "Enforce-EncryptTransit_20240509", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "AppServiceHttpEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below", + "description": "Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny." + } + }, + "AppServiceTlsVersionEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "App Service. Appends the AppService WebApp, APIApp, Function App to enable https only", + "description": "App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny." + } + }, + "AppServiceminTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.3", + "1.2", + "1.1", + "1.0" + ], + "metadata": { + "displayName": "App Service. Select version minimum TLS Web App config", + "description": "App Service. Select version minimum TLS version for a Web App config to enforce" + } + }, + "APIAppServiceHttpsEffect": { + "metadata": { + "displayName": "App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "FunctionLatestTlsEffect": { + "metadata": { + "displayName": "App Service Function App. Latest TLS version should be used in your Function App", + "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + }, + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "FunctionServiceHttpsEffect": { + "metadata": { + "displayName": "App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "FunctionAppTlsEffect": { + "metadata": { + "displayName": "App Service Function App. Configure Function apps to use the latest TLS version.", + "description": "App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version." + }, + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "LogicAppTlsEffect": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "WebAppServiceLatestTlsEffect": { + "metadata": { + "displayName": "App Service Web App. Latest TLS version should be used in your Web App", + "description": "Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version." + }, + "type": "String", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "WebAppServiceHttpsEffect": { + "metadata": { + "displayName": "App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.", + "description": "Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "AKSIngressHttpsOnlyEffect": { + "metadata": { + "displayName": "AKS Service. Enforce HTTPS ingress in Kubernetes cluster", + "description": "This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc." + }, + "type": "String", + "defaultValue": "deny", + "allowedValues": [ + "audit", + "deny", + "disabled" + ] + }, + "MySQLEnableSSLDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "MySQLEnableSSLEffect": { + "metadata": { + "displayName": "MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers", + "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "MySQLminimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "MySQL database servers. Select version minimum TLS for MySQL server", + "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" + } + }, + "PostgreSQLEnableSSLDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "PostgreSQLEnableSSLEffect": { + "metadata": { + "displayName": "PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers", + "description": "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "PostgreSQLminimalTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_0", + "TLS1_1", + "TLSEnforcementDisabled" + ], + "metadata": { + "displayName": "PostgreSQL database servers. Select version minimum TLS for MySQL server", + "description": "PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce" + } + }, + "RedisTLSDeployEffect": { + "type": "String", + "defaultValue": "Append", + "allowedValues": [ + "Append", + "Disabled" + ], + "metadata": { + "displayName": "Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis", + "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "RedisMinTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis", + "description": "Select version minimum TLS version for a Azure Cache for Redis to enforce" + } + }, + "RedisTLSEffect": { + "metadata": { + "displayName": "Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled", + "description": "Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "SQLManagedInstanceTLSDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "SQLManagedInstanceMinTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure Managed Instance.Select version minimum TLS for Azure Managed Instance", + "description": "Select version minimum TLS version for Azure Managed Instanceto to enforce" + } + }, + "SQLManagedInstanceTLSEffect": { + "metadata": { + "displayName": "SQL Managed Instance should have the minimal TLS version of 1.2", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "SQLServerTLSDeployEffect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers", + "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." + } + }, + "SQLServerminTlsVersion": { + "type": "String", + "defaultValue": "1.2", + "allowedValues": [ + "1.2", + "1.0", + "1.1" + ], + "metadata": { + "displayName": "Azure SQL Database.Select version minimum TLS for Azure SQL Database", + "description": "Select version minimum TLS version for Azure SQL Database to enforce" + } + }, + "SQLServerTLSEffect": { + "metadata": { + "displayName": "Azure SQL Database should have the minimal TLS version of 1.2", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities." + }, + "type": "String", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled", + "Deny" + ] + }, + "StorageDeployHttpsEnabledEffect": { + "metadata": { + "displayName": "Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled", + "description": "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking" + }, + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "StorageMinimumTlsVersion": { + "type": "String", + "defaultValue": "TLS1_2", + "allowedValues": [ + "TLS1_2", + "TLS1_1", + "TLS1_0" + ], + "metadata": { + "displayName": "Storage Account select minimum TLS version", + "description": "Select version minimum TLS version on Azure Storage Account to enforce" + } + }, + "ContainerAppsHttpsOnlyEffect": { + "metadata": { + "displayName": "Container Apps should only be accessible over HTTPS", + "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps." + }, + "type": "String", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "logicAppHttpsEffect": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppsTls": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "functionAppSlotsTls": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "appServiceAppsHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppSlotTls": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "functionAppSlotsHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "functionAppHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "appServiceAppSlotsHttps": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "eventHubMinTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "sqlManagedTlsVersion": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "sqlDbTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "storageAccountsTls": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "synapseTlsVersion": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "AppServiceHttpEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[[parameters('AppServiceHttpEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AppServiceminTlsVersion", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[[parameters('AppServiceTlsVersionEffect')]" + }, + "minTlsVersion": { + "value": "[[parameters('AppServiceminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionLatestTlsEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", + "definitionVersion": "2.*.*", + "parameters": { + "effect": { + "value": "[[parameters('FunctionLatestTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WebAppServiceLatestTlsEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", + "definitionVersion": "2.*.*", + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceLatestTlsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "APIAppServiceHttpsEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[[parameters('APIAppServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "FunctionServiceHttpsEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[[parameters('FunctionServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "WebAppServiceHttpsEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[[parameters('WebAppServiceHttpsEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "AKSIngressHttpsOnlyEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "definitionVersion": "8.*.*", + "parameters": { + "effect": { + "value": "[[parameters('AKSIngressHttpsOnlyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLEnableSSLDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "MySQLEnableSSLEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[[parameters('MySQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('MySQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLEnableSSLDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "PostgreSQLEnableSSLEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[[parameters('PostgreSQLEnableSSLEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('PostgreSQLminimalTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisTLSDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisdisableNonSslPort", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSDeployEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "RedisDenyhttps", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[[parameters('RedisTLSEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('RedisMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLManagedInstanceTLSDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLManagedInstanceTLSEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[[parameters('SQLManagedInstanceTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLManagedInstanceMinTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLServerTLSDeployEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSDeployEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "SQLServerTLSEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[[parameters('SQLServerTLSEffect')]" + }, + "minimalTlsVersion": { + "value": "[[parameters('SQLServerminTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "StorageDeployHttpsEnabledEffect", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[[parameters('StorageDeployHttpsEnabledEffect')]" + }, + "minimumTlsVersion": { + "value": "[[parameters('StorageMinimumTlsVersion')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "ContainerAppsHttpsOnlyEffect", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb", + "definitionVersion": "1.*.*", + "parameters": { + "effect": { + "value": "[[parameters('ContainerAppsHttpsOnlyEffect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-FunctionApp-Tls", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0", + "definitionVersion": "1.*.*", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('FunctionAppTlsEffect')]" + } + } + }, + { + "policyDefinitionReferenceId": "Deploy-LogicApp-TLS", + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS", + "definitionVersion": "1.*.*", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('LogicAppTlsEffect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https", + "policyDefinitionReferenceId": "Deny-LogicApp-Without-Https", + "definitionVersion": "1.*.*", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('logicAppHttpsEffect')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063", + "policyDefinitionReferenceId": "Dine-Function-Apps-Slots-Tls", + "definitionVersion": "1.*.*", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('functionAppSlotsTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d", + "policyDefinitionReferenceId": "Dine-AppService-Apps-Tls", + "definitionVersion": "1.*.*", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d", + "policyDefinitionReferenceId": "Deny-AppService-Apps-Https", + "definitionVersion": "4.*.*", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppsHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50", + "policyDefinitionReferenceId": "Deny-AppService-Tls", + "definitionVersion": "2.*.*", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df", + "policyDefinitionReferenceId": "DINE-AppService-AppSlotTls", + "definitionVersion": "1.*.*", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppSlotTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71", + "policyDefinitionReferenceId": "Deny-FuncAppSlots-Https", + "definitionVersion": "2.*.*", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('functionAppSlotsHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab", + "policyDefinitionReferenceId": "Deny-FunctionApp-Https", + "definitionVersion": "5.*.*", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('functionAppHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc", + "policyDefinitionReferenceId": "Deny-AppService-Slots-Https", + "definitionVersion": "2.*.*", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('appServiceAppSlotsHttps')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS", + "policyDefinitionReferenceId": "Deny-EH-minTLS", + "definitionVersion": "1.*.*", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('eventHubMinTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4", + "policyDefinitionReferenceId": "Deny-Sql-Managed-Tls-Version", + "definitionVersion": "1.*.*", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('sqlManagedTlsVersion')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf", + "policyDefinitionReferenceId": "Deny-Sql-Db-Tls", + "definitionVersion": "2.*.*", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('sqlDbTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0", + "policyDefinitionReferenceId": "Deny-Storage-Tls", + "definitionVersion": "1.*.*", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('storageAccountsTls')]" + } + } + }, + { + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4", + "policyDefinitionReferenceId": "Deny-Synapse-Tls-Version", + "definitionVersion": "1.*.*", + "groupNames": [], + "parameters": { + "effect": { + "value": "[[parameters('synapseTlsVersion')]" + } + } + } + ], + "policyDefinitionGroups": null + } +} diff --git a/src/templates/initiatives.bicep b/src/templates/initiatives.bicep index c4a12a8d79..61fd2c41d1 100644 --- a/src/templates/initiatives.bicep +++ b/src/templates/initiatives.bicep @@ -39,6 +39,7 @@ var loadPolicySetDefinitions = { loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security_20240529.json') loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit.json') loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json') + loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20241211.json') loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json') loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox.json') loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/DenyAction-DeleteProtection.json') From 0abd56800813fa53b6a2335e3c595aaf4f05f3f2 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 16 Jan 2025 13:33:08 +0400 Subject: [PATCH 12/18] Updating assignment name (#1886) --- .../DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json index 6ab58e86dd..c164388d1d 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json @@ -26,7 +26,7 @@ "deployEncryptionInTransit": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20241211')]" }, "policyAssignmentNames": { - "deployEncryptionInTransit": "Enforce-TLS-SSL-H224", + "deployEncryptionInTransit": "Enforce-TLS-SSL-Q225", "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit.", "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit" }, From d9eea1502685b1f8cf4f3cb140d7bfb5c962cd96 Mon Sep 17 00:00:00 2001 From: Matt White <16320656+matt-FFFFFF@users.noreply.github.com> Date: Fri, 17 Jan 2025 17:39:17 +0000 Subject: [PATCH 13/18] fix: add assignPermissions --- .../policyDefinitions/Deploy-Sql-vulnerabilityAssessments.json | 3 ++- .../Deploy-Sql-vulnerabilityAssessments_20230706.json | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments.json index 807f7299a8..68a319b49c 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments.json @@ -32,7 +32,8 @@ "type": "String", "metadata": { "description": "The storage account ID to store assessments", - "displayName": "The storage account ID to store assessments" + "displayName": "The storage account ID to store assessments", + "assignPermissions": true } }, "effect": { diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706.json index 13b935a7c1..a209713db3 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706.json @@ -31,7 +31,8 @@ "type": "String", "metadata": { "description": "The storage account ID to store assessments", - "displayName": "The storage account ID to store assessments" + "displayName": "The storage account ID to store assessments", + "assignPermissions": true } }, "effect": { From e781147b4470e2e3054501e3774790e3cc63e41c Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Mon, 20 Jan 2025 16:28:27 +0400 Subject: [PATCH 14/18] Workload Specific Compliance - Audit Only (#1887) --- docs/wiki/Whats-new.md | 1 + eslzArm/eslz-portal.json | 162 +++++++++++++++++++++++++++++++------- eslzArm/eslzArm.json | 164 ++++++++++++++++++++++++++++++++------- 3 files changed, 272 insertions(+), 55 deletions(-) diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index 18e736ffdd..7e68ccb818 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -65,6 +65,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: - Updated initiative [Enforce-EncryptTransit_20240509](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html) `AppServiceMinTlsVersion` parameter to include TLS version 1.3 (as supported by the policy). - Removed duplicate policy assignment "Container Apps should only be accessible over HTTPS" from initiative [Enforce-EncryptTransit_20241211](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_2024.html). Note, this is a breaking change, and existing assignments should be removed and re-assigned. - Added new custom policies [Audit-Tags-Mandatory](https://www.azadvertizer.net/azpolicyadvertizer/Audit-Tags-Mandatory.html) and [Audit-Tags-Mandatory-Rg](https://www.azadvertizer.net/azpolicyadvertizer/Audit-Tags-Mandatory-Rg.html) to support auditing for the existence of mandatory tags (based on an array of tags). Not assigned by default. +- Updated the Workload Specific Compliance initiative section in the portal accelerator to allow configuring `Audit Only` effect for workloads using the `DoNotEnforce` enforcement mode. ### December 2024 diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index 1b8a4c7e9f..c078f69cbf 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -5393,6 +5393,10 @@ "label": "Yes", "value": "Yes" }, + { + "label": "Audit only", + "value": "Audit" + }, { "label": "No", "value": "No" @@ -5410,7 +5414,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').wlcCMK.enableWsCMKInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').wlcCMK.enableWsCMKInitiatives, 'No'))]", "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], "constraints": { "allowedValues": [ @@ -5489,6 +5493,10 @@ "label": "Yes", "value": "Yes" }, + { + "label": "Audit only", + "value": "Audit" + }, { "label": "No", "value": "No" @@ -5506,7 +5514,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').wlcAIReady.enableWsBotServiceInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').wlcAIReady.enableWsBotServiceInitiatives, 'No'))]", "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], "constraints": { "allowedValues": [ @@ -5577,6 +5585,10 @@ "label": "Yes", "value": "Yes" }, + { + "label": "Audit only", + "value": "Audit" + }, { "label": "No", "value": "No" @@ -5594,7 +5606,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').wlcAIReady.enableWsCognitiveServicesInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').wlcAIReady.enableWsCognitiveServicesInitiatives, 'No'))]", "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], "constraints": { "allowedValues": [ @@ -5665,6 +5677,10 @@ "label": "Yes", "value": "Yes" }, + { + "label": "Audit only", + "value": "Audit" + }, { "label": "No", "value": "No" @@ -5682,7 +5698,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').wlcAIReady.enableWsMachineLearningInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').wlcAIReady.enableWsMachineLearningInitiatives, 'No'))]", "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], "constraints": { "allowedValues": [ @@ -5753,6 +5769,10 @@ "label": "Yes", "value": "Yes" }, + { + "label": "Audit only", + "value": "Audit" + }, { "label": "No", "value": "No" @@ -5770,7 +5790,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').wlcAIReady.enableWsOpenAIInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').wlcAIReady.enableWsOpenAIInitiatives, 'No'))]", "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], "constraints": { "allowedValues": [ @@ -5850,6 +5870,10 @@ "label": "Yes", "value": "Yes" }, + { + "label": "Audit only", + "value": "Audit" + }, { "label": "No", "value": "No" @@ -5867,7 +5891,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsDataExplorerInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsDataExplorerInitiatives, 'No'))]", "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], "constraints": { "allowedValues": [ @@ -5938,6 +5962,10 @@ "label": "Yes", "value": "Yes" }, + { + "label": "Audit only", + "value": "Audit" + }, { "label": "No", "value": "No" @@ -5955,7 +5983,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsDataFactoryInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsDataFactoryInitiatives, 'No'))]", "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], "constraints": { "allowedValues": [ @@ -6026,6 +6054,10 @@ "label": "Yes", "value": "Yes" }, + { + "label": "Audit only", + "value": "Audit" + }, { "label": "No", "value": "No" @@ -6043,7 +6075,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsSynapseInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsSynapseInitiatives, 'No'))]", "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], "constraints": { "allowedValues": [ @@ -6120,6 +6152,10 @@ "label": "Yes", "value": "Yes" }, + { + "label": "Audit only", + "value": "Audit" + }, { "label": "No", "value": "No" @@ -6137,7 +6173,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsComputeInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsComputeInitiatives, 'No'))]", "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], "constraints": { "allowedValues": [ @@ -6208,6 +6244,10 @@ "label": "Yes", "value": "Yes" }, + { + "label": "Audit only", + "value": "Audit" + }, { "label": "No", "value": "No" @@ -6225,7 +6265,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsVirtualDesktopInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsVirtualDesktopInitiatives, 'No'))]", "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], "constraints": { "allowedValues": [ @@ -6302,6 +6342,10 @@ "label": "Yes", "value": "Yes" }, + { + "label": "Audit only", + "value": "Audit" + }, { "label": "No", "value": "No" @@ -6319,7 +6363,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsContainerAppsInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsContainerAppsInitiatives, 'No'))]", "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], "constraints": { "allowedValues": [ @@ -6390,6 +6434,10 @@ "label": "Yes", "value": "Yes" }, + { + "label": "Audit only", + "value": "Audit" + }, { "label": "No", "value": "No" @@ -6407,7 +6455,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsContainerInstanceInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsContainerInstanceInitiatives, 'No'))]", "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], "constraints": { "allowedValues": [ @@ -6478,6 +6526,10 @@ "label": "Yes", "value": "Yes" }, + { + "label": "Audit only", + "value": "Audit" + }, { "label": "No", "value": "No" @@ -6495,7 +6547,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsContainerRegistryInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsContainerRegistryInitiatives, 'No'))]", "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], "constraints": { "allowedValues": [ @@ -6566,6 +6618,10 @@ "label": "Yes", "value": "Yes" }, + { + "label": "Audit only", + "value": "Audit" + }, { "label": "No", "value": "No" @@ -6583,7 +6639,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsKubernetesInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsKubernetesInitiatives, 'No'))]", "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], "constraints": { "allowedValues": [ @@ -6660,6 +6716,10 @@ "label": "Yes", "value": "Yes" }, + { + "label": "Audit only", + "value": "Audit" + }, { "label": "No", "value": "No" @@ -6677,7 +6737,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsCosmosDbInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsCosmosDbInitiatives, 'No'))]", "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], "constraints": { "allowedValues": [ @@ -6748,6 +6808,10 @@ "label": "Yes", "value": "Yes" }, + { + "label": "Audit only", + "value": "Audit" + }, { "label": "No", "value": "No" @@ -6765,7 +6829,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsMySQLInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsMySQLInitiatives, 'No'))]", "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], "constraints": { "allowedValues": [ @@ -6836,6 +6900,10 @@ "label": "Yes", "value": "Yes" }, + { + "label": "Audit only", + "value": "Audit" + }, { "label": "No", "value": "No" @@ -6853,7 +6921,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsPostgreSQLInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsPostgreSQLInitiatives, 'No'))]", "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], "constraints": { "allowedValues": [ @@ -6924,6 +6992,10 @@ "label": "Yes", "value": "Yes" }, + { + "label": "Audit only", + "value": "Audit" + }, { "label": "No", "value": "No" @@ -6941,7 +7013,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsSQLInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsSQLInitiatives, 'No'))]", "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], "constraints": { "allowedValues": [ @@ -7018,6 +7090,10 @@ "label": "Yes", "value": "Yes" }, + { + "label": "Audit only", + "value": "Audit" + }, { "label": "No", "value": "No" @@ -7035,7 +7111,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsEventGridInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsEventGridInitiatives, 'No'))]", "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], "constraints": { "allowedValues": [ @@ -7106,6 +7182,10 @@ "label": "Yes", "value": "Yes" }, + { + "label": "Audit only", + "value": "Audit" + }, { "label": "No", "value": "No" @@ -7123,7 +7203,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsEventHubInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsEventHubInitiatives, 'No'))]", "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], "constraints": { "allowedValues": [ @@ -7194,6 +7274,10 @@ "label": "Yes", "value": "Yes" }, + { + "label": "Audit only", + "value": "Audit" + }, { "label": "No", "value": "No" @@ -7211,7 +7295,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsServiceBusInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsServiceBusInitiatives, 'No'))]", "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], "constraints": { "allowedValues": [ @@ -7288,6 +7372,10 @@ "label": "Yes", "value": "Yes" }, + { + "label": "Audit only", + "value": "Audit" + }, { "label": "No", "value": "No" @@ -7305,7 +7393,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsAutomationInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsAutomationInitiatives, 'No'))]", "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], "constraints": { "allowedValues": [ @@ -7383,6 +7471,10 @@ "label": "Yes", "value": "Yes" }, + { + "label": "Audit only", + "value": "Audit" + }, { "label": "No", "value": "No" @@ -7400,7 +7492,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsNetworkInitiatives, 'Yes')]", + "visible": "[and(not(equals(steps('workloadspecific').enableWsNetworkInitiatives, 'No')), equals(steps('connectivity').enableDdoS, 'Yes'))]", "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], "constraints": { "allowedValues": [ @@ -7477,6 +7569,10 @@ "label": "Yes", "value": "Yes" }, + { + "label": "Audit only", + "value": "Audit" + }, { "label": "No", "value": "No" @@ -7494,7 +7590,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsKeyVaultSupInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsKeyVaultSupInitiatives, 'No'))]", "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], "constraints": { "allowedValues": [ @@ -7571,6 +7667,10 @@ "label": "Yes", "value": "Yes" }, + { + "label": "Audit only", + "value": "Audit" + }, { "label": "No", "value": "No" @@ -7588,7 +7688,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsStorageInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsStorageInitiatives, 'No'))]", "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], "constraints": { "allowedValues": [ @@ -7665,6 +7765,10 @@ "label": "Yes", "value": "Yes" }, + { + "label": "Audit only", + "value": "Audit" + }, { "label": "No", "value": "No" @@ -7682,7 +7786,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsAPIMInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsAPIMInitiatives, 'No'))]", "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], "constraints": { "allowedValues": [ @@ -7753,6 +7857,10 @@ "label": "Yes", "value": "Yes" }, + { + "label": "Audit only", + "value": "Audit" + }, { "label": "No", "value": "No" @@ -7770,7 +7878,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsAppServicesInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsAppServicesInitiatives, 'No'))]", "defaultValue": [{"value": "contoso-platform"},{"value": "contoso-landingzones"}], "constraints": { "allowedValues": [ diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 6c834f2929..45029343a7 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -1097,6 +1097,7 @@ "type": "string", "allowedValues": [ "Yes", + "Audit", "No" ], "defaultValue": "No" @@ -1112,6 +1113,7 @@ "type": "string", "allowedValues": [ "Yes", + "Audit", "No" ], "defaultValue": "No" @@ -1127,6 +1129,7 @@ "type": "string", "allowedValues": [ "Yes", + "Audit", "No" ], "defaultValue": "No" @@ -1142,6 +1145,7 @@ "type": "string", "allowedValues": [ "Yes", + "Audit", "No" ], "defaultValue": "No" @@ -1157,6 +1161,7 @@ "type": "string", "allowedValues": [ "Yes", + "Audit", "No" ], "defaultValue": "No" @@ -1172,6 +1177,7 @@ "type": "string", "allowedValues": [ "Yes", + "Audit", "No" ], "defaultValue": "No" @@ -1187,6 +1193,7 @@ "type": "string", "allowedValues": [ "Yes", + "Audit", "No" ], "defaultValue": "No" @@ -1202,6 +1209,7 @@ "type": "string", "allowedValues": [ "Yes", + "Audit", "No" ], "defaultValue": "No" @@ -1217,6 +1225,7 @@ "type": "string", "allowedValues": [ "Yes", + "Audit", "No" ], "defaultValue": "No" @@ -1232,6 +1241,7 @@ "type": "string", "allowedValues": [ "Yes", + "Audit", "No" ], "defaultValue": "No" @@ -1247,6 +1257,7 @@ "type": "string", "allowedValues": [ "Yes", + "Audit", "No" ], "defaultValue": "No" @@ -1262,6 +1273,7 @@ "type": "string", "allowedValues": [ "Yes", + "Audit", "No" ], "defaultValue": "No" @@ -1277,6 +1289,7 @@ "type": "string", "allowedValues": [ "Yes", + "Audit", "No" ], "defaultValue": "No" @@ -1292,6 +1305,7 @@ "type": "string", "allowedValues": [ "Yes", + "Audit", "No" ], "defaultValue": "No" @@ -1307,6 +1321,7 @@ "type": "string", "allowedValues": [ "Yes", + "Audit", "No" ], "defaultValue": "No" @@ -1322,6 +1337,7 @@ "type": "string", "allowedValues": [ "Yes", + "Audit", "No" ], "defaultValue": "No" @@ -1337,6 +1353,7 @@ "type": "string", "allowedValues": [ "Yes", + "Audit", "No" ], "defaultValue": "No" @@ -1352,6 +1369,7 @@ "type": "string", "allowedValues": [ "Yes", + "Audit", "No" ], "defaultValue": "No" @@ -1367,6 +1385,7 @@ "type": "string", "allowedValues": [ "Yes", + "Audit", "No" ], "defaultValue": "No" @@ -1382,6 +1401,7 @@ "type": "string", "allowedValues": [ "Yes", + "Audit", "No" ], "defaultValue": "No" @@ -1397,6 +1417,7 @@ "type": "string", "allowedValues": [ "Yes", + "Audit", "No" ], "defaultValue": "No" @@ -1412,6 +1433,7 @@ "type": "string", "allowedValues": [ "Yes", + "Audit", "No" ], "defaultValue": "No" @@ -1427,6 +1449,7 @@ "type": "string", "allowedValues": [ "Yes", + "Audit", "No" ], "defaultValue": "No" @@ -1442,6 +1465,7 @@ "type": "string", "allowedValues": [ "Yes", + "Audit", "No" ], "defaultValue": "No" @@ -1457,6 +1481,7 @@ "type": "string", "allowedValues": [ "Yes", + "Audit", "No" ], "defaultValue": "No" @@ -1472,6 +1497,7 @@ "type": "string", "allowedValues": [ "Yes", + "Audit", "No" ], "defaultValue": "No" @@ -1487,6 +1513,7 @@ "type": "string", "allowedValues": [ "Yes", + "Audit", "No" ], "defaultValue": "No" @@ -1502,7 +1529,7 @@ "type": "array", "defaultValue": [], "metadata": { - "description": "Array of objects containing built-in Regulatory Compliance policies to assign to sepcfied Management Groups" + "description": "Array of objects containing built-in Regulatory Compliance policies to assign to specified Management Groups" } }, "regCompPolParAusGovIsmRestrictedVmAdminsExclude": { @@ -2841,7 +2868,7 @@ }, { // Assigning Workload Specific Customer Managed Keys Initiaitve to selected management groups if condition is true - "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsCMKInitiatives'), 'Yes'), not(empty(parameters('wsCMKSelectorMG'))))]", + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableWsCMKInitiatives'), 'Yes'), equals(parameters('enableWsCMKInitiatives'), 'Audit')), not(empty(parameters('wsCMKSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[take(concat(variables('deploymentNames').wsCMKDeploymentName, '-', replace(parameters('wsCMKSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", @@ -2882,13 +2909,16 @@ }, "assignmentIndex": { "value": "[copyIndex()]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableWsCMKInitiatives'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { // Assigning Workload Specific APIM Initiaitve to selected management groups if condition is true - "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsAPIMInitiatives'), 'Yes'), not(empty(parameters('wsAPIMSelectorMG'))))]", + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableWsAPIMInitiatives'), 'Yes'), equals(parameters('enableWsAPIMInitiatives'), 'Audit')), not(empty(parameters('wsAPIMSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[take(concat(variables('deploymentNames').wsAPIMDeploymentName, '-', replace(parameters('wsAPIMSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", @@ -2929,13 +2959,16 @@ }, "assignmentIndex": { "value": "[copyIndex()]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableWsAPIMInitiatives'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { // Assigning Workload Specific App Services Initiaitve to selected management groups if condition is true - "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsAppServicesInitiatives'), 'Yes'), not(empty(parameters('wsAppServicesSelectorMG'))))]", + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableWsAppServicesInitiatives'), 'Yes'), equals(parameters('enableWsAppServicesInitiatives'), 'Audit')), not(empty(parameters('wsAppServicesSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[take(concat(variables('deploymentNames').wsAppServicesDeploymentName, '-', replace(parameters('wsAppServicesSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", @@ -2976,13 +3009,16 @@ }, "assignmentIndex": { "value": "[copyIndex()]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableWsAppServicesInitiatives'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { // Assigning Workload Specific Automation Accounts Initiaitve to selected management groups if condition is true - "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsAutomationInitiatives'), 'Yes'), not(empty(parameters('wsAutomationSelectorMG'))))]", + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableWsAutomationInitiatives'), 'Yes'), equals(parameters('enableWsAutomationInitiatives'), 'Audit')), not(empty(parameters('wsAutomationSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[take(concat(variables('deploymentNames').wsAutomationDeploymentName, '-', replace(parameters('wsAutomationSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", @@ -3023,13 +3059,16 @@ }, "assignmentIndex": { "value": "[copyIndex()]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableWsAutomationInitiatives'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { // Assigning Workload Specific Bot Service Initiaitve to selected management groups if condition is true - "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsBotServiceInitiatives'), 'Yes'), not(empty(parameters('wsBotServiceSelectorMG'))))]", + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableWsBotServiceInitiatives'), 'Yes'), equals(parameters('enableWsBotServiceInitiatives'), 'Audit')), not(empty(parameters('wsBotServiceSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[take(concat(variables('deploymentNames').wsBotServiceDeploymentName, '-', replace(parameters('wsBotServiceSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", @@ -3070,13 +3109,16 @@ }, "assignmentIndex": { "value": "[copyIndex()]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableWsBotServiceInitiatives'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { // Assigning Workload Specific Cognitive Services Initiaitve to selected management groups if condition is true - "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsCognitiveServicesInitiatives'), 'Yes'), not(empty(parameters('wsCognitiveServicesSelectorMG'))))]", + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableWsCognitiveServicesInitiatives'), 'Yes'), equals(parameters('enableWsCognitiveServicesInitiatives'), 'Audit')), not(empty(parameters('wsCognitiveServicesSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[take(concat(variables('deploymentNames').wsCognitiveServicesDeploymentName, '-', replace(parameters('wsCognitiveServicesSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", @@ -3117,13 +3159,16 @@ }, "assignmentIndex": { "value": "[copyIndex()]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableWsCognitiveServicesInitiatives'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { // Assigning Workload Specific Compute Initiaitve to selected management groups if condition is true - "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsComputeInitiatives'), 'Yes'), not(empty(parameters('wsComputeSelectorMG'))))]", + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableWsComputeInitiatives'), 'Yes'), equals(parameters('enableWsComputeInitiatives'), 'Audit')), not(empty(parameters('wsComputeSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[take(concat(variables('deploymentNames').wsComputeDeploymentName, '-', replace(parameters('wsComputeSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", @@ -3164,13 +3209,16 @@ }, "assignmentIndex": { "value": "[copyIndex()]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableWsComputeInitiatives'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { // Assigning Workload Specific Container Apps Initiaitve to selected management groups if condition is true - "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsContainerAppsInitiatives'), 'Yes'), not(empty(parameters('wsContainerAppsSelectorMG'))))]", + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableWsContainerAppsInitiatives'), 'Yes'), equals(parameters('enableWsContainerAppsInitiatives'), 'Audit')), not(empty(parameters('wsContainerAppsSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[take(concat(variables('deploymentNames').wsContainerAppsDeploymentName, '-', replace(parameters('wsContainerAppsSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", @@ -3211,13 +3259,16 @@ }, "assignmentIndex": { "value": "[copyIndex()]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableWsContainerAppsInitiatives'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { // Assigning Workload Specific Container Instance Initiaitve to selected management groups if condition is true - "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsContainerInstanceInitiatives'), 'Yes'), not(empty(parameters('wsContainerInstanceSelectorMG'))))]", + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableWsContainerInstanceInitiatives'), 'Yes'), equals(parameters('enableWsContainerInstanceInitiatives'), 'Audit')), not(empty(parameters('wsContainerInstanceSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[take(concat(variables('deploymentNames').wsContainerInstanceDeploymentName, '-', replace(parameters('wsContainerInstanceSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", @@ -3258,13 +3309,16 @@ }, "assignmentIndex": { "value": "[copyIndex()]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableWsContainerInstanceInitiatives'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { // Assigning Workload Specific Container Registry Initiaitve to selected management groups if condition is true - "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsContainerRegistryInitiatives'), 'Yes'), not(empty(parameters('wsContainerRegistrySelectorMG'))))]", + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableWsContainerRegistryInitiatives'), 'Yes'), equals(parameters('enableWsContainerRegistryInitiatives'), 'Audit')), not(empty(parameters('wsContainerRegistrySelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[take(concat(variables('deploymentNames').wsContainerRegistryDeploymentName, '-', replace(parameters('wsContainerRegistrySelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", @@ -3305,13 +3359,16 @@ }, "assignmentIndex": { "value": "[copyIndex()]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableWsContainerRegistryInitiatives'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { // Assigning Workload Specific Cosmos DB Initiaitve to selected management groups if condition is true - "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsCosmosDbInitiatives'), 'Yes'), not(empty(parameters('wsCosmosDbSelectorMG'))))]", + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableWsCosmosDbInitiatives'), 'Yes'), equals(parameters('enableWsCosmosDbInitiatives'), 'Audit')), not(empty(parameters('wsCosmosDbSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[take(concat(variables('deploymentNames').wsCosmosDbDeploymentName, '-', replace(parameters('wsCosmosDbSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", @@ -3352,13 +3409,16 @@ }, "assignmentIndex": { "value": "[copyIndex()]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableWsCosmosDbInitiatives'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { // Assigning Workload Specific Data Explorer Initiaitve to selected management groups if condition is true - "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsDataExplorerInitiatives'), 'Yes'), not(empty(parameters('wsDataExplorerSelectorMG'))))]", + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableWsDataExplorerInitiatives'), 'Yes'), equals(parameters('enableWsDataExplorerInitiatives'), 'Audit')), not(empty(parameters('wsDataExplorerSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[take(concat(variables('deploymentNames').wsDataExplorerDeploymentName, '-', replace(parameters('wsDataExplorerSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", @@ -3399,13 +3459,16 @@ }, "assignmentIndex": { "value": "[copyIndex()]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableWsDataExplorerInitiatives'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { // Assigning Workload Specific Data Factory Initiaitve to selected management groups if condition is true - "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsDataFactoryInitiatives'), 'Yes'), not(empty(parameters('wsDataFactorySelectorMG'))))]", + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableWsDataFactoryInitiatives'), 'Yes'), equals(parameters('enableWsDataFactoryInitiatives'), 'Audit')), not(empty(parameters('wsDataFactorySelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[take(concat(variables('deploymentNames').wsDataFactoryDeploymentName, '-', replace(parameters('wsDataFactorySelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", @@ -3446,13 +3509,16 @@ }, "assignmentIndex": { "value": "[copyIndex()]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableWsDataFactoryInitiatives'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { // Assigning Workload Specific Event Grid Initiaitve to selected management groups if condition is true - "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsEventGridInitiatives'), 'Yes'), not(empty(parameters('wsEventGridSelectorMG'))))]", + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableWsEventGridInitiatives'), 'Yes'), equals(parameters('enableWsEventGridInitiatives'), 'Audit')), not(empty(parameters('wsEventGridSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[take(concat(variables('deploymentNames').wsEventGridDeploymentName, '-', replace(parameters('wsEventGridSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", @@ -3493,13 +3559,16 @@ }, "assignmentIndex": { "value": "[copyIndex()]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableWsEventGridInitiatives'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { // Assigning Workload Specific Event Hub Initiaitve to selected management groups if condition is true - "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsEventHubInitiatives'), 'Yes'), not(empty(parameters('wsEventHubSelectorMG'))))]", + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableWsEventHubInitiatives'), 'Yes'), equals(parameters('enableWsEventHubInitiatives'), 'Audit')), not(empty(parameters('wsEventHubSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[take(concat(variables('deploymentNames').wsEventHubDeploymentName, '-', replace(parameters('wsEventHubSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", @@ -3540,13 +3609,16 @@ }, "assignmentIndex": { "value": "[copyIndex()]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableWsEventHubInitiatives'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { // Assigning Workload Specific Key Vault Supplementary Initiaitve to selected management groups if condition is true - "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsKeyVaultSupInitiatives'), 'Yes'), not(empty(parameters('wsKeyVaultSupSelectorMG'))))]", + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableWsKeyVaultSupInitiatives'), 'Yes'), equals(parameters('enableWsKeyVaultSupInitiatives'), 'Audit')), not(empty(parameters('wsKeyVaultSupSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[take(concat(variables('deploymentNames').wsKeyVaultSupDeploymentName, '-', replace(parameters('wsKeyVaultSupSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", @@ -3587,13 +3659,16 @@ }, "assignmentIndex": { "value": "[copyIndex()]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableWsKeyVaultSupInitiatives'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { // Assigning Workload Specific Kubernetes Initiaitve to selected management groups if condition is true - "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsKubernetesInitiatives'), 'Yes'), not(empty(parameters('wsKubernetesSelectorMG'))))]", + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableWsKubernetesInitiatives'), 'Yes'), equals(parameters('enableWsKubernetesInitiatives'), 'Audit')), not(empty(parameters('wsKubernetesSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[take(concat(variables('deploymentNames').wsKubernetesDeploymentName, '-', replace(parameters('wsKubernetesSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", @@ -3634,13 +3709,16 @@ }, "assignmentIndex": { "value": "[copyIndex()]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableWsKubernetesInitiatives'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { // Assigning Workload Specific Machine Learning Initiaitve to selected management groups if condition is true - "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsMachineLearningInitiatives'), 'Yes'), not(empty(parameters('wsMachineLearningSelectorMG'))))]", + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableWsMachineLearningInitiatives'), 'Yes'), equals(parameters('enableWsMachineLearningInitiatives'), 'Audit')), not(empty(parameters('wsMachineLearningSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[take(concat(variables('deploymentNames').wsMachineLearningDeploymentName, '-', replace(parameters('wsMachineLearningSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", @@ -3681,13 +3759,16 @@ }, "assignmentIndex": { "value": "[copyIndex()]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableWsMachineLearningInitiatives'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { // Assigning Workload Specific MySQL Initiaitve to selected management groups if condition is true - "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsMySQLInitiatives'), 'Yes'), not(empty(parameters('wsMySQLSelectorMG'))))]", + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableWsMySQLInitiatives'), 'Yes'), equals(parameters('enableWsMySQLInitiatives'), 'Audit')), not(empty(parameters('wsMySQLSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[take(concat(variables('deploymentNames').wsMySQLDeploymentName, '-', replace(parameters('wsMySQLSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", @@ -3728,13 +3809,16 @@ }, "assignmentIndex": { "value": "[copyIndex()]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableWsMySQLInitiatives'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { // Assigning Workload Specific Network and Networking services Initiaitve to selected management groups if condition is true - "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsNetworkInitiatives'), 'Yes'), not(empty(parameters('wsNetworkSelectorMG'))))]", + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableWsNetworkInitiatives'), 'Yes'), equals(parameters('enableWsNetworkInitiatives'), 'Audit')), not(empty(parameters('wsNetworkSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[take(concat(variables('deploymentNames').wsNetworkDeploymentName, '-', replace(parameters('wsNetworkSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", @@ -3778,13 +3862,16 @@ }, "ddosPlanResourceId": { "value": "[variables('platformResourceIds').ddosProtectionResourceId]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableWsNetworkInitiatives'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { // Assigning Workload Specific OpenAI Initiaitve to selected management groups if condition is true - "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsOpenAIInitiatives'), 'Yes'), not(empty(parameters('wsOpenAISelectorMG'))))]", + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableWsOpenAIInitiatives'), 'Yes'), equals(parameters('enableWsOpenAIInitiatives'), 'Audit')), not(empty(parameters('wsOpenAISelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[take(concat(variables('deploymentNames').wsOpenAIDeploymentName, '-', replace(parameters('wsOpenAISelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", @@ -3825,13 +3912,16 @@ }, "assignmentIndex": { "value": "[copyIndex()]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableWsOpenAIInitiatives'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { // Assigning Workload Specific PostgreSQL Initiaitve to selected management groups if condition is true - "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsPostgreSQLInitiatives'), 'Yes'), not(empty(parameters('wsPostgreSQLSelectorMG'))))]", + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableWsPostgreSQLInitiatives'), 'Yes'), equals(parameters('enableWsPostgreSQLInitiatives'), 'Audit')), not(empty(parameters('wsPostgreSQLSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[take(concat(variables('deploymentNames').wsPostgreSQLDeploymentName, '-', replace(parameters('wsPostgreSQLSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", @@ -3872,13 +3962,16 @@ }, "assignmentIndex": { "value": "[copyIndex()]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableWsPostgreSQLInitiatives'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { // Assigning Workload Specific Service Bus Initiaitve to selected management groups if condition is true - "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsServiceBusInitiatives'), 'Yes'), not(empty(parameters('wsServiceBusSelectorMG'))))]", + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableWsServiceBusInitiatives'), 'Yes'), equals(parameters('enableWsServiceBusInitiatives'), 'Audit')), not(empty(parameters('wsServiceBusSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[take(concat(variables('deploymentNames').wsServiceBusDeploymentName, '-', replace(parameters('wsServiceBusSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", @@ -3919,13 +4012,16 @@ }, "assignmentIndex": { "value": "[copyIndex()]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableWsServiceBusInitiatives'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { // Assigning Workload Specific SQL Initiaitve to selected management groups if condition is true - "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsSQLInitiatives'), 'Yes'), not(empty(parameters('wsSQLSelectorMG'))))]", + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableWsSQLInitiatives'), 'Yes'), equals(parameters('enableWsSQLInitiatives'), 'Audit')), not(empty(parameters('wsSQLSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[take(concat(variables('deploymentNames').wsSQLDeploymentName, '-', replace(parameters('wsSQLSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", @@ -3966,13 +4062,16 @@ }, "assignmentIndex": { "value": "[copyIndex()]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableWsSQLInitiatives'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { // Assigning Workload Specific Storage Initiaitve to selected management groups if condition is true - "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsStorageInitiatives'), 'Yes'), not(empty(parameters('wsStorageSelectorMG'))))]", + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableWsStorageInitiatives'), 'Yes'), equals(parameters('enableWsStorageInitiatives'), 'Audit')), not(empty(parameters('wsStorageSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[take(concat(variables('deploymentNames').wsStorageDeploymentName, '-', replace(parameters('wsStorageSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", @@ -4013,13 +4112,16 @@ }, "assignmentIndex": { "value": "[copyIndex()]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableWsStorageInitiatives'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { // Assigning Workload Specific Synapse Initiaitve to selected management groups if condition is true - "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsSynapseInitiatives'), 'Yes'), not(empty(parameters('wsSynapseSelectorMG'))))]", + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableWsSynapseInitiatives'), 'Yes'), equals(parameters('enableWsSynapseInitiatives'), 'Audit')), not(empty(parameters('wsSynapseSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[take(concat(variables('deploymentNames').wsSynapseDeploymentName, '-', replace(parameters('wsSynapseSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", @@ -4060,13 +4162,16 @@ }, "assignmentIndex": { "value": "[copyIndex()]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableWsSynapseInitiatives'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } }, { // Assigning Workload Specific Virtual Desktop Initiaitve to selected management groups if condition is true - "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableWsVirtualDesktopInitiatives'), 'Yes'), not(empty(parameters('wsVirtualDesktopSelectorMG'))))]", + "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableWsVirtualDesktopInitiatives'), 'Yes'), equals(parameters('enableWsVirtualDesktopInitiatives'), 'Audit')), not(empty(parameters('wsVirtualDesktopSelectorMG'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[take(concat(variables('deploymentNames').wsVirtualDesktopDeploymentName, '-', replace(parameters('wsVirtualDesktopSelectorMG')[copyIndex()], 'contoso', parameters('enterpriseScaleCompanyPrefix'))), 64)]", @@ -4107,6 +4212,9 @@ }, "assignmentIndex": { "value": "[copyIndex()]" + }, + "enforcementMode": { + "value": "[if(equals(parameters('enableWsVirtualDesktopInitiatives'), 'Yes'), 'Default', 'DoNotEnforce')]" } } } From 98b259b2d60aee15ece50ad64a5cddab771f4583 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Wed, 22 Jan 2025 19:10:03 +0400 Subject: [PATCH 15/18] Initiative API version update (#1889) --- .../policyDefinitions/initiatives.json | 76 +++++++++---------- .../policyDefinitions/policies.json | 8 +- .../Deploy-MDFC-Config_20240319.json | 2 +- .../Deploy-Private-DNS-Zones.json | 2 +- .../Deploy-Sql-Security_20240529.json | 2 +- .../policySetDefinitions/Enforce-ACSB.json | 2 +- .../Enforce-ALZ-Decomm.json | 2 +- .../Enforce-ALZ-Sandbox.json | 2 +- .../policySetDefinitions/Enforce-Backup.json | 2 +- .../Enforce-EncryptTransit_20240509.json | 2 +- .../Enforce-EncryptTransit_20241211.json | 2 +- .../Enforce-Encryption-CMK.json | 2 +- .../Enforce-Guardrails-APIM.json | 2 +- .../Enforce-Guardrails-AppServices.json | 2 +- .../Enforce-Guardrails-Automation.json | 2 +- .../Enforce-Guardrails-BotService.json | 2 +- .../Enforce-Guardrails-CognitiveServices.json | 2 +- .../Enforce-Guardrails-Compute.json | 2 +- .../Enforce-Guardrails-ContainerApps.json | 2 +- .../Enforce-Guardrails-ContainerInstance.json | 2 +- .../Enforce-Guardrails-ContainerRegistry.json | 2 +- .../Enforce-Guardrails-CosmosDb.json | 2 +- .../Enforce-Guardrails-DataExplorer.json | 2 +- .../Enforce-Guardrails-DataFactory.json | 2 +- .../Enforce-Guardrails-EventGrid.json | 2 +- .../Enforce-Guardrails-EventHub.json | 2 +- .../Enforce-Guardrails-KeyVault-Sup.json | 2 +- .../Enforce-Guardrails-KeyVault.json | 2 +- .../Enforce-Guardrails-Kubernetes.json | 2 +- .../Enforce-Guardrails-MachineLearning.json | 2 +- .../Enforce-Guardrails-MySQL.json | 2 +- .../Enforce-Guardrails-Network.json | 2 +- .../Enforce-Guardrails-OpenAI.json | 2 +- .../Enforce-Guardrails-PostgreSQL.json | 2 +- .../Enforce-Guardrails-SQL.json | 2 +- .../Enforce-Guardrails-ServiceBus.json | 2 +- .../Enforce-Guardrails-Storage.json | 2 +- .../Enforce-Guardrails-Synapse.json | 2 +- .../Enforce-Guardrails-VirtualDesktop.json | 2 +- workloads/README.md | 2 +- 40 files changed, 80 insertions(+), 80 deletions(-) diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json index 2590865b25..88344ee6cd 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "4520699863553122349" + "templateHash": "13650298559309402818" } }, "parameters": { @@ -79,49 +79,49 @@ "$fxv#0": "{\n \"name\": \"Audit-UnusedResourcesCostOptimization\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Unused resources driving cost should be avoided\",\n \"description\": \"Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost.\",\n \"metadata\": {\n \"version\": \"2.1.0\",\n \"category\": \"Cost Optimization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectDisks\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Disks Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Compute/disks\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectPublicIpAddresses\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PublicIpAddresses Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Network/publicIpAddresses\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectServerFarms\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"ServerFarms Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Web/serverfarms\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AuditDisksUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDisks')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditPublicIpAddressesUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectPublicIpAddresses')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditServerFarmsUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectServerFarms')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditAzureHybridBenefitUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Audit\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#1": "{\n \"name\": \"Audit-TrustedLaunch\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Audit virtual machines for Trusted Launch support\",\n \"description\": \"Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Trusted Launch\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AuditDisksOsTrustedLaunch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b03bb370-5249-4ea4-9fce-2552e87e45fa\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditTrustedLaunchEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95b54ad-0614-4633-ab29-104b01235cbf\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#10": "{\n \"name\": \"Deploy-AUM-CheckUpdates\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines\",\n \"description\": \"Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"assessmentMode\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Assessment mode\",\n \"description\": \"Assessment mode for the machines.\"\n },\n \"allowedValues\": [\n \"ImageDefault\",\n \"AutomaticByPlatform\"\n ],\n \"defaultValue\": \"AutomaticByPlatform\"\n },\n \"locations\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Machines locations\",\n \"description\": \"The list of locations from which machines need to be targeted.\",\n \"strongType\": \"location\"\n },\n \"defaultValue\": []\n },\n \"tagValues\": {\n \"type\": \"Object\",\n \"metadata\": {\n \"displayName\": \"Tags on machines\",\n \"description\": \"The list of tags that need to matched for getting target machines.\"\n },\n \"defaultValue\": {}\n },\n \"tagOperator\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Tag operator\",\n \"description\": \"Matching condition for resource tags\"\n },\n \"allowedValues\": [\n \"All\",\n \"Any\"\n ],\n \"defaultValue\": \"Any\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#11": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.2.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Soft Delete\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Purge Protection\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Secrets Expiry\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Keys Expiry\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Firewall Enabled\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Certificate Lifetime\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Keys Lifetime\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Secrets Lifetime\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultManagedHsmCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"definitionVersion\": \"3.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"definitionVersion\": \"3.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57\",\n \"policyDefinitionReferenceId\": \"Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#12": "{\n \"name\": \"Enforce-Guardrails-APIM\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for API Management\",\n \"description\": \"This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"API Management\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"apiSubscriptionScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"minimumApiVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSkuVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"apimApiBackendCertValidation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDirectApiEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimCallApiAuthn\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimEncryptedProtocols\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimVnetUsage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSecrets\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Kv\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSecrets')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Vnet\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimVnetUsage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS\",\n \"policyDefinitionReferenceId\": \"Deny-APIM-TLS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Protocols\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimEncryptedProtocols')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Authn\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimCallApiAuthn')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Direct-Endpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDirectApiEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Cert-Validation\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimApiBackendCertValidation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2\",\n \"policyDefinitionReferenceId\": \"Dine-Apim-Public-NetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Sku-Vnet\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSkuVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('minimumApiVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1\",\n \"policyDefinitionReferenceId\": \"Deny-Api-subscription-scope\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apiSubscriptionScope')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#13": "{\n \"name\": \"Enforce-Guardrails-AppServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for App Service\",\n \"description\": \"This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"functionAppDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceSkuPl\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuthFtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceScmAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsVnetRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceEnvLatestVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceByoc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Byoc\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceByoc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Remote-Debugging\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Remote-Debugging\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Latest-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceEnvLatestVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Vnet-Routing\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsVnetRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Rfc\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222\",\n \"policyDefinitionReferenceId\": \"Deny-AppServiceApps-Rfc\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb\",\n \"policyDefinitionReferenceId\": \"DINE-FuncApp-Debugging\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-ScmAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceScmAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-Routing\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-FtpAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuthFtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-SkuPl\",\n \"definitionVersion\": \"4.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceSkuPl')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-LocalAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-Debugging\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Https\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Https\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Apps-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-App-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#14": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"autoHotPatch\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc\",\n \"policyDefinitionReferenceId\": \"Deny-Windows-Vm-HotPatch\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('autoHotPatch')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#15": "{\n \"name\": \"Enforce-Guardrails-BotService\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Bot Service\",\n \"description\": \"This policy initiative is a group of policies that ensures Bot Service is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Bot Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"botServiceValidUri\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"audit\",\n \"Deny\",\n \"deny\",\n \"Disabled\",\n \"disabled\"\n ]\n },\n \"botServiceIsolatedMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"audit\",\n \"Deny\",\n \"deny\",\n \"Disabled\",\n \"disabled\"\n ]\n },\n \"botServiceLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"botServicePrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6164527b-e1ee-4882-8673-572f425f5e0a\",\n \"policyDefinitionReferenceId\": \"Deny-BotService-Valid-Uri\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServiceValidUri')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/52152f42-0dda-40d9-976e-abb1acdd611e\",\n \"policyDefinitionReferenceId\": \"Deny-BotService-Isolated-Mode\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServiceIsolatedMode')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffea632e-4e3a-4424-bf78-10e179bb2e1a\",\n \"policyDefinitionReferenceId\": \"Deny-BotService-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServiceLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad5621d6-a877-4407-aa93-a950b428315e\",\n \"policyDefinitionReferenceId\": \"Audit-BotService-Private-Link\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServicePrivateLink')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#16": "{\n \"name\": \"Enforce-Guardrails-CognitiveServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cognitive Services\",\n \"description\": \"This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveSearchSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesCustomerStorage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesResourceLogs\": {\n \"type\": \"string\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-SKU\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6300012e-e9a4-4649-b41f-a85f5c43be91\",\n \"policyDefinitionReferenceId\": \"Deny-CongitiveSearch-LocalAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4eb216f2-9dba-4979-86e6-5d7e63ce3b75\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-LocalAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9cee519f-d9c1-4fd9-9f79-24ec3449ed30\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Public-Network-Access\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Managed-Identity\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Customer-Storage\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesCustomerStorage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\n \"policyDefinitionReferenceId\": \"Aine-Cognitive-Services-Resource-Logs\",\n \"definitionVersion\": \"5.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesResourceLogs')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#17": "{\n \"name\": \"Enforce-Guardrails-Compute\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Compute\",\n \"description\": \"This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Compute\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"diskDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vmAndVmssEncryptionHost\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87\",\n \"policyDefinitionReferenceId\": \"Deny-VmAndVmss-Encryption-Host\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vmAndVmssEncryptionHost')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816\",\n \"policyDefinitionReferenceId\": \"Deny-Disk-Double-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('diskDoubleEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#18": "{\n \"name\": \"Enforce-Guardrails-ContainerApps\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsVnetInjection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApp-Vnet-Injection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsVnetInjection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#19": "{\n \"name\": \"Enforce-Guardrails-ContainerInstance\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Container Instances\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerInstanceVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Vnet\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceVnet')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#11": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.2.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Soft Delete\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Purge Protection\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Secrets Expiry\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Keys Expiry\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Firewall Enabled\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Certificate Lifetime\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Keys Lifetime\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Secrets Lifetime\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultManagedHsmCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"definitionVersion\": \"3.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"definitionVersion\": \"3.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57\",\n \"policyDefinitionReferenceId\": \"Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#12": "{\n \"name\": \"Enforce-Guardrails-APIM\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for API Management\",\n \"description\": \"This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"API Management\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"apiSubscriptionScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"minimumApiVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSkuVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"apimApiBackendCertValidation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDirectApiEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimCallApiAuthn\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimEncryptedProtocols\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimVnetUsage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSecrets\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Kv\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSecrets')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Vnet\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimVnetUsage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS\",\n \"policyDefinitionReferenceId\": \"Deny-APIM-TLS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Protocols\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimEncryptedProtocols')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Authn\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimCallApiAuthn')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Direct-Endpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDirectApiEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Cert-Validation\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimApiBackendCertValidation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2\",\n \"policyDefinitionReferenceId\": \"Dine-Apim-Public-NetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Sku-Vnet\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSkuVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('minimumApiVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1\",\n \"policyDefinitionReferenceId\": \"Deny-Api-subscription-scope\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apiSubscriptionScope')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#13": "{\n \"name\": \"Enforce-Guardrails-AppServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for App Service\",\n \"description\": \"This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"functionAppDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceSkuPl\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuthFtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceScmAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsVnetRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceEnvLatestVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceByoc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Byoc\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceByoc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Remote-Debugging\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Remote-Debugging\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Latest-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceEnvLatestVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Vnet-Routing\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsVnetRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Rfc\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222\",\n \"policyDefinitionReferenceId\": \"Deny-AppServiceApps-Rfc\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb\",\n \"policyDefinitionReferenceId\": \"DINE-FuncApp-Debugging\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-ScmAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceScmAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-Routing\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-FtpAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuthFtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-SkuPl\",\n \"definitionVersion\": \"4.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceSkuPl')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-LocalAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-Debugging\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Https\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Https\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Apps-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-App-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#14": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"autoHotPatch\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc\",\n \"policyDefinitionReferenceId\": \"Deny-Windows-Vm-HotPatch\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('autoHotPatch')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#15": "{\n \"name\": \"Enforce-Guardrails-BotService\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Bot Service\",\n \"description\": \"This policy initiative is a group of policies that ensures Bot Service is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Bot Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"botServiceValidUri\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"audit\",\n \"Deny\",\n \"deny\",\n \"Disabled\",\n \"disabled\"\n ]\n },\n \"botServiceIsolatedMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"audit\",\n \"Deny\",\n \"deny\",\n \"Disabled\",\n \"disabled\"\n ]\n },\n \"botServiceLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"botServicePrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6164527b-e1ee-4882-8673-572f425f5e0a\",\n \"policyDefinitionReferenceId\": \"Deny-BotService-Valid-Uri\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServiceValidUri')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/52152f42-0dda-40d9-976e-abb1acdd611e\",\n \"policyDefinitionReferenceId\": \"Deny-BotService-Isolated-Mode\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServiceIsolatedMode')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffea632e-4e3a-4424-bf78-10e179bb2e1a\",\n \"policyDefinitionReferenceId\": \"Deny-BotService-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServiceLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad5621d6-a877-4407-aa93-a950b428315e\",\n \"policyDefinitionReferenceId\": \"Audit-BotService-Private-Link\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServicePrivateLink')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#16": "{\n \"name\": \"Enforce-Guardrails-CognitiveServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cognitive Services\",\n \"description\": \"This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveSearchSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesCustomerStorage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesResourceLogs\": {\n \"type\": \"string\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-SKU\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6300012e-e9a4-4649-b41f-a85f5c43be91\",\n \"policyDefinitionReferenceId\": \"Deny-CongitiveSearch-LocalAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4eb216f2-9dba-4979-86e6-5d7e63ce3b75\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-LocalAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9cee519f-d9c1-4fd9-9f79-24ec3449ed30\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Public-Network-Access\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Managed-Identity\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Customer-Storage\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesCustomerStorage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\n \"policyDefinitionReferenceId\": \"Aine-Cognitive-Services-Resource-Logs\",\n \"definitionVersion\": \"5.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesResourceLogs')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#17": "{\n \"name\": \"Enforce-Guardrails-Compute\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Compute\",\n \"description\": \"This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Compute\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"diskDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vmAndVmssEncryptionHost\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87\",\n \"policyDefinitionReferenceId\": \"Deny-VmAndVmss-Encryption-Host\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vmAndVmssEncryptionHost')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816\",\n \"policyDefinitionReferenceId\": \"Deny-Disk-Double-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('diskDoubleEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#18": "{\n \"name\": \"Enforce-Guardrails-ContainerApps\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsVnetInjection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApp-Vnet-Injection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsVnetInjection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#19": "{\n \"name\": \"Enforce-Guardrails-ContainerInstance\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Container Instances\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerInstanceVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Vnet\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceVnet')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#2": "{\n \"name\": \"Deploy-Sql-Security\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy SQL Database built-in SQL security configuration\",\n \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-Sql-Security_20240529.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-Sql-Security_20240529\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"metadata\": {\n \"description\": \"The email address to send alerts\",\n \"displayName\": \"The email address to send alerts\"\n },\n \"type\": \"String\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n },\n \"type\": \"String\"\n },\n \"SqlDbTdeDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n }\n },\n \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n }\n },\n \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL database auditing settings\",\n \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n }\n },\n \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#20": "{\n \"name\": \"Enforce-Guardrails-ContainerRegistry\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Registry\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Container Registry\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerRegistryUnrestrictedNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryExports\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistrySkuPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a9b426fe-8856-4945-8600-18c5dd1cca2a\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Repo-Token\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/42781ec6-6127-4c30-bdfa-fb423a0047d3\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Arm-Audience\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/785596ed-054f-41bc-aaec-7f3d0ba05725\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Arm-Audience\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd560fc0-3c69-498a-ae9f-aa8eb7de0e13\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Sku-PrivateLink\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistrySkuPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Anonymous-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Anonymous-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/524b0254-c285-4903-bee6-bb8126cde579\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Exports\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryExports')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff05e24e-195c-447e-b322-5e90c9f9f366\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Repo-Token\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Unrestricted-Network-Access\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryUnrestrictedNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3701552-92ea-433e-9d17-33b7f1208fc9\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#21": "{\n \"name\": \"Enforce-Guardrails-CosmosDb\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbAtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\n \"policyDefinitionReferenceId\": \"Dine-CosmosDb-Atp\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbAtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#22": "{\n \"name\": \"Enforce-Guardrails-DataExplorer\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Explorer\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Explorer is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Azure Data Explorer\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adxEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1fec9658-933f-4b3e-bc95-913ed22d012b\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Sku-without-PL-Support\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Double-Encryption\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Encryption\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7b32f193-cb28-4e15-9a98-b9556db0bafa\",\n \"policyDefinitionReferenceId\": \"Modify-ADX-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#23": "{\n \"name\": \"Enforce-Guardrails-DataFactory\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Factory\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Data Factory\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adfSqlIntegration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfLinkedServiceKeyVault\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfGit\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f78ccdb4-7bf4-4106-8647-270491d2978a\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Managed-Identity\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/77d40665-3120-4348-b539-3192ec808307\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Git\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfGit')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/127ef6d7-242f-43b3-9eef-947faf1725d0\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Linked-Service-Key-Vault\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfLinkedServiceKeyVault')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0088bc63-6dee-4a9c-9d29-91cfdc848952\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Sql-Integration\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfSqlIntegration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08b1442b-7789-4130-8506-4f99a97226a7\",\n \"policyDefinitionReferenceId\": \"Modify-Adf-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#24": "{\n \"name\": \"Enforce-Guardrails-EventGrid\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Grid\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Grid is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Event Grid\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventGridLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2dd0e8b9-4289-4bb0-b813-1883298e9924\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Partner-Namespace-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae9fb87f-8a17-4428-94a4-8135d431055c\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c8144d9-746a-4501-b08c-093c8d29ad04\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8632b003-3545-4b29-85e6-b2b96773df1e\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Partner-Namespace-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8bfadddb-ee1c-4639-8911-a38cb8e0b3bd\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/898e9824-104c-4965-8e0e-5197588fa5d4\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/36ea4b4b-0f7f-4a54-89fa-ab18f555a172\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#25": "{\n \"name\": \"Enforce-Guardrails-EventHub\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Hub\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Event Hub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventHubAuthRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/836cd60e-87f3-4e6a-a27c-29d687f01a4c\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Double-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/57f35901-8389-40bb-ac49-3ba4f86d889d\",\n \"policyDefinitionReferenceId\": \"Modify-EH-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5d4e3c65-4873-47be-94f3-6f8b953a3598\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Auth-Rules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubAuthRules')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#26": "{\n \"name\": \"Enforce-Guardrails-KeyVault-Sup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce additional recommended guardrails for Key Vault\",\n \"description\": \"This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"keyVaultManagedHsmDisablePublicNetworkModify\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"keyVaultModifyFw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456\",\n \"policyDefinitionReferenceId\": \"Modify-KV-PublicNetworkAccess\",\n \"definitionVersion\": \"2.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\",\n \"policyDefinitionReferenceId\": \"Modify-KV-Fw\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultModifyFw')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#27": "{\n \"name\": \"Enforce-Guardrails-Kubernetes\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Kubernetes\",\n \"description\": \"This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Kubernetes\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aksKms\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksCni\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivateCluster\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksCommandInvoke\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksReadinessOrLivenessProbes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivContainers\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksPrivEscalation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksAllowedCapabilities\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksTempDisk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksInternalLb\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksDefaultNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksNakedPods\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksShareHostProcessAndNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksWindowsContainerAdministrator\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5485eac0-7e8f-4964-998b-a44f4f0c1e75\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Windows-Container-Administrator\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksWindowsContainerAdministrator')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Shared-Host-Process-Namespace\",\n \"definitionVersion\": \"5.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksShareHostProcessAndNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65280eef-c8b4-425e-9aec-af55e55bf581\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Naked-Pods\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksNakedPods')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Default-Namespace\",\n \"definitionVersion\": \"4.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksDefaultNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Internal-Lb\",\n \"definitionVersion\": \"8.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksInternalLb')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Temp-Disk-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksTempDisk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Allowed-Capabilities\",\n \"definitionVersion\": \"6.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksAllowedCapabilities')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Escalation\",\n \"definitionVersion\": \"7.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivEscalation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Containers\",\n \"definitionVersion\": \"9.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivContainers')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b1a9997f-2883-4f12-bdff-2280f99b5915\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-ReadinessOrLiveness-Probes\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksReadinessOrLivenessProbes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b708b0a-3380-40e9-8b79-821f9fa224cc\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Command-Invoke\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCommandInvoke')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Policy\",\n \"definitionVersion\": \"4.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPolicy')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Private-Cluster\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivateCluster')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dbbdc317-9734-4dd8-9074-993b29c69008\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Kms\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksKms')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46238e2f-3f6f-4589-9f3f-77bed4116e67\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Cni\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCni')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#28": "{\n \"name\": \"Enforce-Guardrails-MachineLearning\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Machine Learning\",\n \"description\": \"This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mlUserAssignedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"mlLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlOutdatedOS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"mlIdleShutdown\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlVirtualNetwork\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlLegacyMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlResourceLogs\": {\n \"type\": \"string\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"mlAllowedRegistryDeploy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlAllowedModule\": {\n \"type\": \"string\",\n \"defaultValue\": \"enforceSetting\",\n \"allowedValues\": [\n \"enforceSetting\",\n \"disabled\"\n ]\n },\n \"mlAllowedPython\": {\n \"type\": \"string\",\n \"defaultValue\": \"enforceSetting\",\n \"allowedValues\": [\n \"enforceSetting\",\n \"disabled\"\n ]\n },\n \"mlAllowedRegistries\": {\n \"type\": \"string\",\n \"defaultValue\": \"enforceSetting\",\n \"allowedValues\": [\n \"enforceSetting\",\n \"disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Outdated-Os\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effects\": {\n \"value\": \"[[parameters('mlOutdatedOS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Local-Auth\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6f9a2d0-cff7-4855-83ad-4cd750666512\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Local-Auth\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0c7d88-c7de-45b8-ac49-db49e72eaa78\",\n \"policyDefinitionReferenceId\": \"Deny-ML-User-Assigned-Identity\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlUserAssignedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a10ee784-7409-4941-b091-663697637c0f\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/679ddf89-ab8f-48a5-9029-e76054077449\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Idle-Shutdown\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlIdleShutdown')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7804b5c7-01dc-4723-969b-ae300cc07ff1\",\n \"policyDefinitionReferenceId\": \"Audit-ML-Virtual-Network\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlVirtualNetwork')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e413671a-dd10-4cc1-a943-45b598596cb7\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Legacy-Mode\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlLegacyMode')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/45e05259-1eb5-4f70-9574-baf73e9d219b\",\n \"policyDefinitionReferenceId\": \"Audit-ML-Private-Link\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/afe0c3be-ba3b-4544-ba52-0c99672a8ad6\",\n \"policyDefinitionReferenceId\": \"Aine-ML-Resource-Logs\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlResourceLogs')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/19539b54-c61e-4196-9a38-67598701be90\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Allowed-Registry-Deploy\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlAllowedRegistryDeploy')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/53c70b02-63dd-11ea-bc55-0242ac130003\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Allowed-Module\",\n \"definitionVersion\": \"6.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlAllowedModule')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/77eeea86-7e81-4a7d-9067-de844d096752\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Allowed-Python\",\n \"definitionVersion\": \"5.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlAllowedPython')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5853517a-63de-11ea-bc55-0242ac130003\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Allowed-Registries\",\n \"definitionVersion\": \"6.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlAllowedRegistries')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#29": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mySqlInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Infra-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlInfraEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#3": "{\n \"name\": \"Deploy-Sql-Security_20240529\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy SQL Database built-in SQL security configuration\",\n \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-Sql-Security\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"metadata\": {\n \"description\": \"The email address to send alerts\",\n \"displayName\": \"The email address to send alerts\"\n },\n \"type\": \"Array\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n },\n \"type\": \"String\"\n },\n \"SqlDbTdeDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n }\n },\n \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n }\n },\n \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL database auditing settings\",\n \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n }\n },\n \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#30": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Audit\",\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafAfdEnabled\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Allow\",\n \"Deny\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Afd-Enabled\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafAfdEnabled')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#31": "{\n \"name\": \"Enforce-Guardrails-OpenAI\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Open AI (Cognitive Service)\",\n \"description\": \"This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveServicesOutboundNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAcls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesCustomerStorage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"azureAiNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"azureAiPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"azureAiDisableLocalKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"azureAiDisableLocalKey2\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"azureAiDiagSettings\": {\n \"type\": \"string\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-OutboundNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesOutboundNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-NetworkAcls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAcls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Managed-Identity\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Cust-Storage\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesCustomerStorage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\n \"policyDefinitionReferenceId\": \"Deny-AzureAI-Network-Access\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6759c02-b87f-42b7-892e-71b3f471d782\",\n \"policyDefinitionReferenceId\": \"Audit-AzureAI-Private-Link\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d45520cb-31ca-44ba-8da2-fcf914608544\",\n \"policyDefinitionReferenceId\": \"Dine-AzureAI-Local-Key\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiDisableLocalKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55eff01b-f2bd-4c32-9203-db285f709d30\",\n \"policyDefinitionReferenceId\": \"Dine-AzureAI-Local-Key2\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiDisableLocalKey2')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b4d1c4e-934c-4703-944c-27c82c06bebb\",\n \"policyDefinitionReferenceId\": \"Aine-AzureAI-Diag-Settings\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiDiagSettings')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#32": "{\n \"name\": \"Enforce-Guardrails-PostgreSQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for PostgreSQL\",\n \"description\": \"This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"PostgreSQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"postgreSqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3\",\n \"policyDefinitionReferenceId\": \"Dine-PostgreSql-Adv-Threat-Protection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#33": "{\n \"name\": \"Enforce-Guardrails-ServiceBus\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Service Bus\",\n \"description\": \"This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Service Bus\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"serviceBusModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyDisabledLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusAuthzRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Authz-Rules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusAuthzRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebaf4f25-a4e8-415f-86a8-42d9155bef0b\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfb11c26-f069-4c14-8e36-56c394dae5af\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-LocalAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyDisabledLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e\",\n \"policyDefinitionReferenceId\": \"Modify-Sb-LocalAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#34": "{\n \"name\": \"Enforce-Guardrails-SQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for SQL and SQL Managed Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"sqlManagedAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"modifySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Managed-Defender\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Aad-Only\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Aad-Only\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Adv-Data\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b\",\n \"policyDefinitionReferenceId\": \"Modify-Sql-PublicNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifySqlPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#35": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#36": "{\n \"name\": \"Enforce-Guardrails-Synapse\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Synapse workspaces\",\n \"description\": \"This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Synapse\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"synapseLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseManagedVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseDataTraffic\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTenants\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseAllowedTenantIds\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"[[subscription().tenantId]\"\n ]\n },\n \"synapseFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"synapseModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"synapseModifyTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6\",\n \"policyDefinitionReferenceId\": \"Dine-Synapse-Defender\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3624673-d2ff-48e0-b28c-5de1c6767c3c\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56fd377d-098c-4f02-8406-81eb055902b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Fw-Rules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tenant-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTenants')]\"\n },\n \"allowedTenantIds\": {\n \"value\": \"[[parameters('synapseAllowedTenantIds')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Data-Traffic\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDataTraffic')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Managed-Vnet\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseManagedVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b5c654c-fb07-471b-aa8f-15fea733f140\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Tls-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#37": "{\n \"name\": \"Enforce-Guardrails-VirtualDesktop\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Virtual Desktop\",\n \"description\": \"This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Desktop Virtualization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"avdWorkspaceModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ce6ebf1d-0b94-4df9-9257-d8cacc238b4f\",\n \"policyDefinitionReferenceId\": \"Modify-Workspace-PublicNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspaceModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a0913ff-51e7-47b8-97bb-ea17127f7c8d\",\n \"policyDefinitionReferenceId\": \"Modify-Hostpool-PublicNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#20": "{\n \"name\": \"Enforce-Guardrails-ContainerRegistry\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Registry\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Container Registry\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerRegistryUnrestrictedNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryExports\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistrySkuPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a9b426fe-8856-4945-8600-18c5dd1cca2a\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Repo-Token\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/42781ec6-6127-4c30-bdfa-fb423a0047d3\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Arm-Audience\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/785596ed-054f-41bc-aaec-7f3d0ba05725\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Arm-Audience\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd560fc0-3c69-498a-ae9f-aa8eb7de0e13\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Sku-PrivateLink\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistrySkuPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Anonymous-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Anonymous-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/524b0254-c285-4903-bee6-bb8126cde579\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Exports\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryExports')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff05e24e-195c-447e-b322-5e90c9f9f366\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Repo-Token\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Unrestricted-Network-Access\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryUnrestrictedNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3701552-92ea-433e-9d17-33b7f1208fc9\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#21": "{\n \"name\": \"Enforce-Guardrails-CosmosDb\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbAtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\n \"policyDefinitionReferenceId\": \"Dine-CosmosDb-Atp\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbAtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#22": "{\n \"name\": \"Enforce-Guardrails-DataExplorer\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Explorer\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Explorer is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Azure Data Explorer\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adxEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1fec9658-933f-4b3e-bc95-913ed22d012b\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Sku-without-PL-Support\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Double-Encryption\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Encryption\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7b32f193-cb28-4e15-9a98-b9556db0bafa\",\n \"policyDefinitionReferenceId\": \"Modify-ADX-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#23": "{\n \"name\": \"Enforce-Guardrails-DataFactory\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Factory\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Data Factory\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adfSqlIntegration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfLinkedServiceKeyVault\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfGit\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f78ccdb4-7bf4-4106-8647-270491d2978a\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Managed-Identity\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/77d40665-3120-4348-b539-3192ec808307\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Git\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfGit')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/127ef6d7-242f-43b3-9eef-947faf1725d0\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Linked-Service-Key-Vault\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfLinkedServiceKeyVault')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0088bc63-6dee-4a9c-9d29-91cfdc848952\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Sql-Integration\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfSqlIntegration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08b1442b-7789-4130-8506-4f99a97226a7\",\n \"policyDefinitionReferenceId\": \"Modify-Adf-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#24": "{\n \"name\": \"Enforce-Guardrails-EventGrid\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Grid\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Grid is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Event Grid\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventGridLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2dd0e8b9-4289-4bb0-b813-1883298e9924\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Partner-Namespace-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae9fb87f-8a17-4428-94a4-8135d431055c\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c8144d9-746a-4501-b08c-093c8d29ad04\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8632b003-3545-4b29-85e6-b2b96773df1e\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Partner-Namespace-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8bfadddb-ee1c-4639-8911-a38cb8e0b3bd\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/898e9824-104c-4965-8e0e-5197588fa5d4\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/36ea4b4b-0f7f-4a54-89fa-ab18f555a172\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#25": "{\n \"name\": \"Enforce-Guardrails-EventHub\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Hub\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Event Hub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventHubAuthRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/836cd60e-87f3-4e6a-a27c-29d687f01a4c\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Double-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/57f35901-8389-40bb-ac49-3ba4f86d889d\",\n \"policyDefinitionReferenceId\": \"Modify-EH-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5d4e3c65-4873-47be-94f3-6f8b953a3598\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Auth-Rules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubAuthRules')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#26": "{\n \"name\": \"Enforce-Guardrails-KeyVault-Sup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce additional recommended guardrails for Key Vault\",\n \"description\": \"This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"keyVaultManagedHsmDisablePublicNetworkModify\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"keyVaultModifyFw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456\",\n \"policyDefinitionReferenceId\": \"Modify-KV-PublicNetworkAccess\",\n \"definitionVersion\": \"2.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\",\n \"policyDefinitionReferenceId\": \"Modify-KV-Fw\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultModifyFw')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#27": "{\n \"name\": \"Enforce-Guardrails-Kubernetes\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Kubernetes\",\n \"description\": \"This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Kubernetes\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aksKms\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksCni\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivateCluster\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksCommandInvoke\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksReadinessOrLivenessProbes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivContainers\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksPrivEscalation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksAllowedCapabilities\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksTempDisk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksInternalLb\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksDefaultNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksNakedPods\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksShareHostProcessAndNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksWindowsContainerAdministrator\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5485eac0-7e8f-4964-998b-a44f4f0c1e75\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Windows-Container-Administrator\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksWindowsContainerAdministrator')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Shared-Host-Process-Namespace\",\n \"definitionVersion\": \"5.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksShareHostProcessAndNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65280eef-c8b4-425e-9aec-af55e55bf581\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Naked-Pods\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksNakedPods')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Default-Namespace\",\n \"definitionVersion\": \"4.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksDefaultNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Internal-Lb\",\n \"definitionVersion\": \"8.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksInternalLb')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Temp-Disk-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksTempDisk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Allowed-Capabilities\",\n \"definitionVersion\": \"6.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksAllowedCapabilities')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Escalation\",\n \"definitionVersion\": \"7.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivEscalation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Containers\",\n \"definitionVersion\": \"9.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivContainers')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b1a9997f-2883-4f12-bdff-2280f99b5915\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-ReadinessOrLiveness-Probes\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksReadinessOrLivenessProbes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b708b0a-3380-40e9-8b79-821f9fa224cc\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Command-Invoke\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCommandInvoke')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Policy\",\n \"definitionVersion\": \"4.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPolicy')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Private-Cluster\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivateCluster')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dbbdc317-9734-4dd8-9074-993b29c69008\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Kms\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksKms')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46238e2f-3f6f-4589-9f3f-77bed4116e67\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Cni\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCni')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#28": "{\n \"name\": \"Enforce-Guardrails-MachineLearning\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Machine Learning\",\n \"description\": \"This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mlUserAssignedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"mlLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlOutdatedOS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"mlIdleShutdown\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlVirtualNetwork\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlLegacyMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlResourceLogs\": {\n \"type\": \"string\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"mlAllowedRegistryDeploy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlAllowedModule\": {\n \"type\": \"string\",\n \"defaultValue\": \"enforceSetting\",\n \"allowedValues\": [\n \"enforceSetting\",\n \"disabled\"\n ]\n },\n \"mlAllowedPython\": {\n \"type\": \"string\",\n \"defaultValue\": \"enforceSetting\",\n \"allowedValues\": [\n \"enforceSetting\",\n \"disabled\"\n ]\n },\n \"mlAllowedRegistries\": {\n \"type\": \"string\",\n \"defaultValue\": \"enforceSetting\",\n \"allowedValues\": [\n \"enforceSetting\",\n \"disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Outdated-Os\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effects\": {\n \"value\": \"[[parameters('mlOutdatedOS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Local-Auth\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6f9a2d0-cff7-4855-83ad-4cd750666512\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Local-Auth\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0c7d88-c7de-45b8-ac49-db49e72eaa78\",\n \"policyDefinitionReferenceId\": \"Deny-ML-User-Assigned-Identity\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlUserAssignedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a10ee784-7409-4941-b091-663697637c0f\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/679ddf89-ab8f-48a5-9029-e76054077449\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Idle-Shutdown\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlIdleShutdown')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7804b5c7-01dc-4723-969b-ae300cc07ff1\",\n \"policyDefinitionReferenceId\": \"Audit-ML-Virtual-Network\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlVirtualNetwork')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e413671a-dd10-4cc1-a943-45b598596cb7\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Legacy-Mode\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlLegacyMode')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/45e05259-1eb5-4f70-9574-baf73e9d219b\",\n \"policyDefinitionReferenceId\": \"Audit-ML-Private-Link\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/afe0c3be-ba3b-4544-ba52-0c99672a8ad6\",\n \"policyDefinitionReferenceId\": \"Aine-ML-Resource-Logs\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlResourceLogs')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/19539b54-c61e-4196-9a38-67598701be90\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Allowed-Registry-Deploy\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlAllowedRegistryDeploy')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/53c70b02-63dd-11ea-bc55-0242ac130003\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Allowed-Module\",\n \"definitionVersion\": \"6.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlAllowedModule')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/77eeea86-7e81-4a7d-9067-de844d096752\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Allowed-Python\",\n \"definitionVersion\": \"5.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlAllowedPython')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5853517a-63de-11ea-bc55-0242ac130003\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Allowed-Registries\",\n \"definitionVersion\": \"6.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlAllowedRegistries')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#29": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mySqlInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Infra-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlInfraEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#3": "{\n \"name\": \"Deploy-Sql-Security_20240529\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy SQL Database built-in SQL security configuration\",\n \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-Sql-Security\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"metadata\": {\n \"description\": \"The email address to send alerts\",\n \"displayName\": \"The email address to send alerts\"\n },\n \"type\": \"Array\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n },\n \"type\": \"String\"\n },\n \"SqlDbTdeDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n }\n },\n \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n }\n },\n \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL database auditing settings\",\n \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n }\n },\n \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#30": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Audit\",\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafAfdEnabled\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Allow\",\n \"Deny\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Afd-Enabled\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafAfdEnabled')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#31": "{\n \"name\": \"Enforce-Guardrails-OpenAI\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Open AI (Cognitive Service)\",\n \"description\": \"This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveServicesOutboundNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAcls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesCustomerStorage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"azureAiNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"azureAiPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"azureAiDisableLocalKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"azureAiDisableLocalKey2\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"azureAiDiagSettings\": {\n \"type\": \"string\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-OutboundNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesOutboundNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-NetworkAcls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAcls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Managed-Identity\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Cust-Storage\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesCustomerStorage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\n \"policyDefinitionReferenceId\": \"Deny-AzureAI-Network-Access\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6759c02-b87f-42b7-892e-71b3f471d782\",\n \"policyDefinitionReferenceId\": \"Audit-AzureAI-Private-Link\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d45520cb-31ca-44ba-8da2-fcf914608544\",\n \"policyDefinitionReferenceId\": \"Dine-AzureAI-Local-Key\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiDisableLocalKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55eff01b-f2bd-4c32-9203-db285f709d30\",\n \"policyDefinitionReferenceId\": \"Dine-AzureAI-Local-Key2\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiDisableLocalKey2')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b4d1c4e-934c-4703-944c-27c82c06bebb\",\n \"policyDefinitionReferenceId\": \"Aine-AzureAI-Diag-Settings\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiDiagSettings')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#32": "{\n \"name\": \"Enforce-Guardrails-PostgreSQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for PostgreSQL\",\n \"description\": \"This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"PostgreSQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"postgreSqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3\",\n \"policyDefinitionReferenceId\": \"Dine-PostgreSql-Adv-Threat-Protection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#33": "{\n \"name\": \"Enforce-Guardrails-ServiceBus\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Service Bus\",\n \"description\": \"This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Service Bus\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"serviceBusModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyDisabledLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusAuthzRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Authz-Rules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusAuthzRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebaf4f25-a4e8-415f-86a8-42d9155bef0b\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfb11c26-f069-4c14-8e36-56c394dae5af\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-LocalAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyDisabledLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e\",\n \"policyDefinitionReferenceId\": \"Modify-Sb-LocalAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#34": "{\n \"name\": \"Enforce-Guardrails-SQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for SQL and SQL Managed Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"sqlManagedAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"modifySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Managed-Defender\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Aad-Only\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Aad-Only\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Adv-Data\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b\",\n \"policyDefinitionReferenceId\": \"Modify-Sql-PublicNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifySqlPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#35": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#36": "{\n \"name\": \"Enforce-Guardrails-Synapse\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Synapse workspaces\",\n \"description\": \"This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Synapse\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"synapseLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseManagedVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseDataTraffic\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTenants\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseAllowedTenantIds\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"[[subscription().tenantId]\"\n ]\n },\n \"synapseFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"synapseModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"synapseModifyTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6\",\n \"policyDefinitionReferenceId\": \"Dine-Synapse-Defender\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3624673-d2ff-48e0-b28c-5de1c6767c3c\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56fd377d-098c-4f02-8406-81eb055902b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Fw-Rules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tenant-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTenants')]\"\n },\n \"allowedTenantIds\": {\n \"value\": \"[[parameters('synapseAllowedTenantIds')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Data-Traffic\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDataTraffic')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Managed-Vnet\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseManagedVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b5c654c-fb07-471b-aa8f-15fea733f140\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Tls-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#37": "{\n \"name\": \"Enforce-Guardrails-VirtualDesktop\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Virtual Desktop\",\n \"description\": \"This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Desktop Virtualization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"avdWorkspaceModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ce6ebf1d-0b94-4df9-9257-d8cacc238b4f\",\n \"policyDefinitionReferenceId\": \"Modify-Workspace-PublicNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspaceModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a0913ff-51e7-47b8-97bb-ea17127f7c8d\",\n \"policyDefinitionReferenceId\": \"Modify-Hostpool-PublicNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#38": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"5.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registries with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"PostgreSQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSql Flexible Server\",\n \"description\": \"This policy denies creation of PostgreSQL Flexible DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"postgreSqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSQL servers\",\n \"description\": \"This policy denies creation of PostgreSQL DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MySQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for MySQL Flexible Server\",\n \"description\": \"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MlPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Machine Learning\",\n \"description\": \"This policy denies creation of Azure Machine Learning with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"RedisCachePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Cache for Redis\",\n \"description\": \"This policy denies creation of Azure Cache for Redis with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BotServicePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Bot Service\",\n \"description\": \"This policy denies creation of Bot Service with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AutomationPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Automation accounts\",\n \"description\": \"This policy denies creation of Automation accounts with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AppConfigPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Configuration\",\n \"description\": \"This policy denies creation of App Configuration with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionAppSlotPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service Environment apps\",\n \"description\": \"This policy denies creation of App Service Environment apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service apps\",\n \"description\": \"This policy denies creation of App Service apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ApiManPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for API Management services\",\n \"description\": \"This policy denies creation of API Management services with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n },\n \"ContainerAppsEnvironmentDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Container Apps environment should disable public network access\",\n \"description\": \"This policy denies creation of Container Apps Environment with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsrVaultDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Azure Recovery Services vaults should disable public network access\",\n \"description\": \"This policy denies creation of Azure Recovery Services vaults with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"logicAppPublicNetworkAccessEffect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"appSlotsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"cognitiveSearchPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"managedDiskPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"containerAppsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmDisablePublicNetwork\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapsePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdWorkspacePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"grafanaPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48\",\n \"definitionVersion\": \"3.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-PostgreSql-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MlPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisCachePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BotServiceDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BotServicePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppConfigDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppConfigPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppSlotsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/11c82d0c-db9f-4d7b-97c5-f3f9aa957da2\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppSlotPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AseDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3\",\n \"definitionVersion\": \"3.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApiManDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ApiManPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsEnvironmentDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsEnvironmentDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/783ea2a8-b8fd-46be-896a-9ae79643a0b1\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"AsrVaultDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9ebbbba3-4d65-4da9-bb67-b22cfaaff090\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsrVaultDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppPublicNetworkAccessEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/701a595d-38fb-4a66-ae6d-fb3735217622\",\n \"policyDefinitionReferenceId\": \"Deny-AppSlots-Public\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appSlotsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8405fdab-1faf-48aa-b702-999c9c172094\",\n \"policyDefinitionReferenceId\": \"Deny-ManagedDisk-Public-Network-Access\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('managedDiskPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43bc7be6-5e69-4b0d-a2bb-e815557ca673\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8f774be-6aee-492a-9e29-486ef81f3a68\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1adadefe-5f21-44f7-b931-a59b54ccdb45\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0602787f-9896-402a-a6e1-39ee63ee435e\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/19ea9d63-adee-4431-a95e-1913c6c1c75f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PublicNetwork\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetwork')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Public-Network-Access\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Public-Network-Access\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Network-Access\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cbd11fd3-3002-4907-b6c8-579f0e700e13\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Public-Endpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Public-Access\",\n \"definitionVersion\": \"3.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsPublicAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/38d8df46-cf4e-4073-8e03-48c24b29de0d\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapsePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ac3038-c07a-4b92-860d-29e270a4f3cd\",\n \"policyDefinitionReferenceId\": \"Deny-Workspace-PublicNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspacePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c25dcf31-878f-4eba-98eb-0818fdc6a334\",\n \"policyDefinitionReferenceId\": \"Deny-Hostpool-PublicNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8775d5a-73b7-4977-a39b-833ef0114628\",\n \"policyDefinitionReferenceId\": \"Deny-Grafana-PublicNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('grafanaPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#39": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. This policy set is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"2.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for API Management to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for API Management to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for Firewall to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for Firewall to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Log Analytics to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category Audit enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AVDScalingPlansLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AVDScalingPlansLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#4": "{\n \"name\": \"Enforce-EncryptTransit\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html\",\n \"metadata\": {\n \"version\": \"2.1.0-deprecated\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Enforce-EncryptTransit_20240509\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"StorageHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }", "$fxv#40": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html\",\n \"metadata\": {\n \"version\": \"7.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-MDFC-Config_20240319\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"default\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForApis\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForApis\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForApis')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#41": "{\n \"name\": \"Deploy-MDFC-Config_20240319\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"2.2.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-MDFC-Config\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"createResourceGroup\":{\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Create resource group\",\n \"description\": \"If a resource group does not exists in the scope, a new resource group will be created. If the resource group exists and this flag is set to 'true' the policy will re-deploy the resource group. Please note this will reset any Azure Tag on the resource group.\"\n },\n \"defaultValue\": true,\n \"allowedValues\": [\n true,\n false\n ]\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"mdeTvm\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableTvmCheck\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72f8cee7-2937-403d-84a1-a4e3e57f3c21\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"createResourceGroup\": {\n \"value\": \"[[parameters('createResourceGroup')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableTvmCheck')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#42": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"2.4.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"dnsZoneSubscriptionId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Subscription Id\",\n \"description\": \"The subscription id where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified.\"\n }\n },\n \"dnsZoneResourceGroupName\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Resource Group Name\",\n \"description\": \"The resource group where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified.\"\n }\n },\n \"dnsZoneResourceType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Microsoft.Network/privateDnsZones\",\n \"metadata\": {\n \"displayName\": \"Resource Type\",\n \"description\": \"The resource type where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified.\"\n }\n },\n \"dnsZoneRegion\": {\n \"type\": \"string\",\n \"defaultValue\": \"changeme\",\n \"metadata\": {\n \"displayName\": \"Region\",\n \"description\": \"The region where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified.\"\n }\n },\n \"dnzZoneRegionShortNames\": {\n \"type\": \"object\",\n \"defaultValue\": {\n \"changeme\": \"changeme\",\n \"australiacentral\" : \"acl\",\n \"australiacentral2\" : \"acl2\",\n \"australiaeast\" : \"ae\",\n \"australiasoutheast\" : \"ase\",\n \"brazilsoutheast\" : \"bse\",\n \"brazilsouth\" : \"brs\",\n \"canadacentral\" : \"cnc\",\n \"canadaeast\" : \"cne\",\n \"centralindia\" : \"inc\",\n \"centralus\" : \"cus\",\n \"centraluseuap\" : \"ccy\",\n \"chilecentral\" : \"clc\",\n \"eastasia\" : \"ea\",\n \"eastus\" : \"eus\",\n \"eastus2\" : \"eus2\",\n \"eastus2euap\" : \"ecy\",\n \"francecentral\" : \"frc\",\n \"francesouth\" : \"frs\",\n \"germanynorth\" : \"gn\",\n \"germanywestcentral\" : \"gwc\",\n \"israelcentral\" : \"ilc\",\n \"italynorth\" : \"itn\",\n \"japaneast\" : \"jpe\",\n \"japanwest\" : \"jpw\",\n \"koreacentral\" : \"krc\",\n \"koreasouth\" : \"krs\",\n \"malaysiasouth\" : \"mys\",\n \"malaysiawest\" : \"myw\",\n \"mexicocentral\" : \"mxc\",\n \"newzealandnorth\" : \"nzn\",\n \"northcentralus\" : \"ncus\",\n \"northeurope\" : \"ne\",\n \"norwayeast\" : \"nwe\",\n \"norwaywest\" : \"nww\",\n \"polandcentral\" : \"plc\",\n \"qatarcentral\" : \"qac\",\n \"southafricanorth\" : \"san\",\n \"southafricawest\" : \"saw\",\n \"southcentralus\" : \"scus\",\n \"southeastasia\" : \"sea\",\n \"southindia\" : \"ins\",\n \"spaincentral\" : \"spc\",\n \"swedencentral\" : \"sdc\",\n \"swedensouth\" : \"sds\",\n \"switzerlandnorth\" : \"szn\",\n \"switzerlandwest\" : \"szw\",\n \"taiwannorth\" : \"twn\",\n \"uaecentral\" : \"uac\",\n \"uaenorth\" : \"uan\",\n \"uksouth\" : \"uks\",\n \"ukwest\" : \"ukw\",\n \"westcentralus\" : \"wcus\",\n \"westeurope\" : \"we\",\n \"westindia\" : \"inw\",\n \"westus\" : \"wus\",\n \"westus2\" : \"wus2\",\n \"westus3\" : \"wus3\"\n },\n \"metadata\": {\n \"displayName\": \"Region Short Name Mapping\",\n \"description\": \"Mapping of region to private DNS zone resource id. If the region is not specified, the default private DNS zone resource id will be used.\"\n }\n },\n \"dnsZoneNames\": {\n \"type\": \"object\",\n \"defaultValue\": {\n \"azureAcrPrivateDnsZoneId\": \"privatelink.azurecr.io\",\n \"azureAcrDataPrivateDnsZoneId\": \"{regionName}.data.privatelink.azurecr.io\",\n \"azureAppPrivateDnsZoneId\": \"privatelink.azconfig.io\",\n \"azureAppServicesPrivateDnsZoneId\": \"privatelink.azurewebsites.net\",\n \"azureArcGuestconfigurationPrivateDnsZoneId\": \"privatelink.guestconfiguration.azure.com\",\n \"azureArcHybridResourceProviderPrivateDnsZoneId\": \"privatelink.his.arc.azure.com\",\n \"azureArcKubernetesConfigurationPrivateDnsZoneId\": \"privatelink.dp.kubernetesconfiguration.azure.com\",\n \"azureAsrPrivateDnsZoneId\": \"privatelink.siterecovery.windowsazure.com\",\n \"azureAutomationDSCHybridPrivateDnsZoneId\": \"privatelink.azure-automation.net\",\n \"azureAutomationWebhookPrivateDnsZoneId\": \"privatelink.azure-automation.net\",\n \"azureBatchPrivateDnsZoneId\": \"privatelink.batch.azure.com\",\n \"azureBotServicePrivateDnsZoneId\": \"privatelink.directline.botframework.com\",\n \"azureCognitiveSearchPrivateDnsZoneId\": \"privatelink.search.windows.net\",\n \"azureCognitiveServicesPrivateDnsZoneId\": \"privatelink.cognitiveservices.azure.com\",\n \"azureCosmosCassandraPrivateDnsZoneId\": \"privatelink.cassandra.cosmos.azure.com\",\n \"azureCosmosGremlinPrivateDnsZoneId\": \"privatelink.gremlin.cosmos.azure.com\",\n \"azureCosmosMongoPrivateDnsZoneId\": \"privatelink.mongo.cosmos.azure.com\",\n \"azureCosmosSQLPrivateDnsZoneId\": \"privatelink.documents.azure.com\",\n \"azureCosmosTablePrivateDnsZoneId\": \"privatelink.table.cosmos.azure.com\",\n \"azureDataExplorerPrivateDnsZoneId\": \"privatelink.{regionName}.kusto.windows.net\",\n \"azureDataFactoryPortalPrivateDnsZoneId\": \"privatelink.adf.azure.com\",\n \"azureDataFactoryPrivateDnsZoneId\": \"privatelink.datafactory.azure.net\",\n \"azureDatabricksPrivateDnsZoneId\": \"privatelink.azuredatabricks.net\",\n \"azureDiskAccessPrivateDnsZoneId\": \"privatelink.blob.core.windows.net\",\n \"azureEventGridDomainsPrivateDnsZoneId\": \"privatelink.eventgrid.azure.net\",\n \"azureEventGridTopicsPrivateDnsZoneId\": \"privatelink.eventgrid.azure.net\",\n \"azureEventHubNamespacePrivateDnsZoneId\": \"privatelink.servicebus.windows.net\",\n \"azureFilePrivateDnsZoneId\": \"privatelink.afs.azure.net\",\n \"azureHDInsightPrivateDnsZoneId\": \"privatelink.azurehdinsight.net\",\n \"azureIotCentralPrivateDnsZoneId\": \"privatelink.azureiotcentral.com\",\n \"azureIotDeviceupdatePrivateDnsZoneId\": \"privatelink.azure-devices.net\",\n \"azureIotHubsPrivateDnsZoneId\": \"privatelink.azure-devices.net\",\n \"azureIotPrivateDnsZoneId\": \"privatelink.azure-devices-provisioning.net\",\n \"azureKeyVaultPrivateDnsZoneId\": \"privatelink.vaultcore.azure.net\",\n \"azureKubernetesManagementPrivateDnsZoneId\": \"privatelink.{regionName}.azmk8s.io\",\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": \"privatelink.api.azureml.ms\",\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": \"privatelink.notebooks.azure.net\",\n \"azureManagedGrafanaWorkspacePrivateDnsZoneId\": \"privatelink.grafana.azure.com\",\n \"azureMediaServicesKeyPrivateDnsZoneId\": \"privatelink.media.azure.net\",\n \"azureMediaServicesLivePrivateDnsZoneId\": \"privatelink.media.azure.net\",\n \"azureMediaServicesStreamPrivateDnsZoneId\": \"privatelink.media.azure.net\",\n \"azureMigratePrivateDnsZoneId\": \"privatelink.prod.migration.windowsazure.com\",\n \"azureMonitorPrivateDnsZoneId1\": \"privatelink.monitor.azure.com\",\n \"azureMonitorPrivateDnsZoneId2\": \"privatelink.oms.opinsights.azure.com\",\n \"azureMonitorPrivateDnsZoneId3\": \"privatelink.ods.opinsights.azure.com\",\n \"azureMonitorPrivateDnsZoneId4\": \"privatelink.agentsvc.azure-automation.net\",\n \"azureMonitorPrivateDnsZoneId5\": \"privatelink.blob.core.windows.net\",\n \"azureRedisCachePrivateDnsZoneId\": \"privatelink.redis.cache.windows.net\",\n \"azureServiceBusNamespacePrivateDnsZoneId\": \"privatelink.servicebus.windows.net\",\n \"azureSignalRPrivateDnsZoneId\": \"privatelink.service.signalr.net\",\n \"azureSiteRecoveryBackupPrivateDnsZoneId\": \"privatelink.{regionCode}.backup.windowsazure.com\",\n \"azureSiteRecoveryBlobPrivateDnsZoneId\": \"privatelink.blob.core.windows.net\",\n \"azureSiteRecoveryQueuePrivateDnsZoneId\": \"privatelink.queue.core.windows.net\",\n \"azureStorageBlobPrivateDnsZoneId\": \"privatelink.blob.core.windows.net\",\n \"azureStorageBlobSecPrivateDnsZoneId\": \"privatelink.blob.core.windows.net\",\n \"azureStorageDFSPrivateDnsZoneId\": \"privatelink.dfs.core.windows.net\",\n \"azureStorageDFSSecPrivateDnsZoneId\": \"privatelink.dfs.core.windows.net\",\n \"azureStorageFilePrivateDnsZoneId\": \"privatelink.file.core.windows.net\",\n \"azureStorageQueuePrivateDnsZoneId\": \"privatelink.queue.core.windows.net\",\n \"azureStorageQueueSecPrivateDnsZoneId\": \"privatelink.queue.core.windows.net\",\n \"azureStorageStaticWebPrivateDnsZoneId\": \"privatelink.web.core.windows.net\",\n \"azureStorageStaticWebSecPrivateDnsZoneId\": \"privatelink.web.core.windows.net\",\n \"azureStorageTablePrivateDnsZoneId\": \"privatelink.table.core.windows.net\",\n \"azureStorageTableSecondaryPrivateDnsZoneId\": \"privatelink.table.core.windows.net\",\n \"azureSynapseDevPrivateDnsZoneId\": \"privatelink.dev.azuresynapse.net\",\n \"azureSynapseSQLPrivateDnsZoneId\": \"privatelink.sql.azuresynapse.net\",\n \"azureSynapseSQLODPrivateDnsZoneId\": \"privatelink.sql.azuresynapse.net\",\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": \"privatelink.wvd.microsoft.com\",\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": \"privatelink.wvd.microsoft.com\",\n \"azureWebPrivateDnsZoneId\": \"privatelink.webpubsub.azure.com\"\n },\n \"metadata\": {\n \"displayName\": \"DNS Zone Names\",\n \"description\": \"The list of private DNS zone names to be used for the Azure PaaS services.\"\n }\n },\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDatabricksPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDatabricksPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureHDInsightPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMigratePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMigratePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueueSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueueSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesKeyPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesKeyPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesLivePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesLivePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesStreamPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesStreamPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBotServicePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBotServicePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureManagedGrafanaWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureManagedGrafanaWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotDeviceupdatePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotDeviceupdatePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcGuestconfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcGuestconfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcHybridResourceProviderPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcHybridResourceProviderPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcKubernetesConfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcKubernetesConfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotCentralPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotCentralPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureFilePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureFilePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAutomationWebhookPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAutomationWebhookPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAutomationDSCHybridPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAutomationDSCHybridPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosSQLPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosSQLPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosMongoPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosMongoPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosCassandraPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosCassandraPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosGremlinPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosGremlinPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosTablePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosTablePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDataFactoryPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDataFactoryPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDataFactoryPortalPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDataFactoryPortalPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-UI-Api\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDatabricksPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDatabricksPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"databricks_ui_api\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-Browser-AuthN\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDatabricksPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDatabricksPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"browser_authentication\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureHDInsightPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureHDInsightPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Migrate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMigratePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMigratePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageBlobPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageBlobPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageBlobSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageBlobSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageQueuePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageQueuePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageQueueSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageQueueSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageFilePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageFilePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageStaticWebPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageStaticWebPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageStaticWebSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageStaticWebSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageDFSPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageDFSPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageDFSSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageDFSSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseSQLPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseSQLPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseSQLODPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseSQLODPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseDevPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseDevPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Key\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesKeyPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesKeyPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"keydelivery\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Live\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesLivePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesLivePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"liveevent\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Stream\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesStreamPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesStreamPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"streamingendpoint\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId1'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId1, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId2'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId2, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId3'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId3, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId4'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId4, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId5'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId5, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureWebPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureWebPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureBatchPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureBatchPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAppPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAppPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAsrPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAsrPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureKeyVaultPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureKeyVaultPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSignalRPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSignalRPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAppServicesPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAppServicesPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventGridTopicsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventGridTopicsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDiskAccessPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDiskAccessPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCognitiveServicesPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCognitiveServicesPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotHubsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotHubsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventGridDomainsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventGridDomainsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureRedisCachePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureRedisCachePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAcrPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAcrPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventHubNamespacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventHubNamespacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMachineLearningWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMachineLearningWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMachineLearningWorkspaceSecondPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureServiceBusNamespacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureServiceBusNamespacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCognitiveSearchPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCognitiveSearchPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-BotService\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6a4e6f44-f2af-4082-9702-033c9e88b9f8\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureBotServicePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureBotServicePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ManagedGrafanaWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4c8537f8-cd1b-49ec-b704-18e82a42fd58\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureManagedGrafanaWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureManagedGrafanaWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureVirtualDesktopHostpoolPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureVirtualDesktopWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTDeviceupdate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotDeviceupdatePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotDeviceupdatePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Arc\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\":{\n \"privateDnsZoneIDForGuestConfiguration\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureArcGuestconfigurationPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureArcGuestconfigurationPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneIDForHybridResourceProvider\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureArcHybridResourceProviderPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureArcHybridResourceProviderPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneIDForKubernetesConfiguration\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureArcKubernetesConfigurationPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureArcKubernetesConfigurationPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTCentral\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d627d7c6-ded5-481a-8f2e-7e16b1e6faf6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotCentralPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotCentralPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageTablePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageTablePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageTableSecondaryPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageTableSecondaryPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSiteRecoveryBackupPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSiteRecoveryBackupPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSiteRecoveryBlobPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSiteRecoveryBlobPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSiteRecoveryQueuePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSiteRecoveryQueuePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#43": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"3.2.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"HealthcareAPIsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\",\n \"description\": \"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n },\n \"AutomationAccountCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"BackupCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"osAndDataDiskCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerInstanceCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"eventHubPremiumCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlManagedCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageTableCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsEncryptionCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageQueueCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"botServiceCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"audit\",\n \"Deny\",\n \"deny\",\n \"Disabled\",\n \"disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HealthcareAPIsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('HealthcareAPIsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationAccountCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671\",\n \"policyDefinitionReferenceId\": \"Deny-Backup-Cmk\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BackupCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0\",\n \"policyDefinitionReferenceId\": \"Deny-OsAndDataDisk-Cmk\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('osAndDataDiskCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Premium-CMK\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubPremiumCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Cmk\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Table-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageTableCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Encryption-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsEncryptionCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Queue-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageQueueCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/51522a96-0869-4791-82f3-981000c2c67f\",\n \"policyDefinitionReferenceId\": \"Deny-BotService-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServiceCmk')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#44": "{\n \"name\": \"Enforce-ACSB\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce Azure Compute Security Benchmark compliance auditing\",\n \"description\": \"Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Guest Configuration\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"includeArcMachines\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"metadata\": {\n \"displayName\": \"Include Arc connected servers\",\n \"description\": \"By selecting this option, you agree to be charged monthly per Arc connected machine.\"\n },\n \"defaultValue\": \"true\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"GcIdentity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da\",\n \"definitionVersion\": \"3.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#41": "{\n \"name\": \"Deploy-MDFC-Config_20240319\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"2.2.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-MDFC-Config\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"createResourceGroup\":{\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Create resource group\",\n \"description\": \"If a resource group does not exists in the scope, a new resource group will be created. If the resource group exists and this flag is set to 'true' the policy will re-deploy the resource group. Please note this will reset any Azure Tag on the resource group.\"\n },\n \"defaultValue\": true,\n \"allowedValues\": [\n true,\n false\n ]\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"mdeTvm\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableTvmCheck\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72f8cee7-2937-403d-84a1-a4e3e57f3c21\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"createResourceGroup\": {\n \"value\": \"[[parameters('createResourceGroup')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableTvmCheck')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#42": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"2.4.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"dnsZoneSubscriptionId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Subscription Id\",\n \"description\": \"The subscription id where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified.\"\n }\n },\n \"dnsZoneResourceGroupName\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Resource Group Name\",\n \"description\": \"The resource group where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified.\"\n }\n },\n \"dnsZoneResourceType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Microsoft.Network/privateDnsZones\",\n \"metadata\": {\n \"displayName\": \"Resource Type\",\n \"description\": \"The resource type where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified.\"\n }\n },\n \"dnsZoneRegion\": {\n \"type\": \"string\",\n \"defaultValue\": \"changeme\",\n \"metadata\": {\n \"displayName\": \"Region\",\n \"description\": \"The region where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified.\"\n }\n },\n \"dnzZoneRegionShortNames\": {\n \"type\": \"object\",\n \"defaultValue\": {\n \"changeme\": \"changeme\",\n \"australiacentral\" : \"acl\",\n \"australiacentral2\" : \"acl2\",\n \"australiaeast\" : \"ae\",\n \"australiasoutheast\" : \"ase\",\n \"brazilsoutheast\" : \"bse\",\n \"brazilsouth\" : \"brs\",\n \"canadacentral\" : \"cnc\",\n \"canadaeast\" : \"cne\",\n \"centralindia\" : \"inc\",\n \"centralus\" : \"cus\",\n \"centraluseuap\" : \"ccy\",\n \"chilecentral\" : \"clc\",\n \"eastasia\" : \"ea\",\n \"eastus\" : \"eus\",\n \"eastus2\" : \"eus2\",\n \"eastus2euap\" : \"ecy\",\n \"francecentral\" : \"frc\",\n \"francesouth\" : \"frs\",\n \"germanynorth\" : \"gn\",\n \"germanywestcentral\" : \"gwc\",\n \"israelcentral\" : \"ilc\",\n \"italynorth\" : \"itn\",\n \"japaneast\" : \"jpe\",\n \"japanwest\" : \"jpw\",\n \"koreacentral\" : \"krc\",\n \"koreasouth\" : \"krs\",\n \"malaysiasouth\" : \"mys\",\n \"malaysiawest\" : \"myw\",\n \"mexicocentral\" : \"mxc\",\n \"newzealandnorth\" : \"nzn\",\n \"northcentralus\" : \"ncus\",\n \"northeurope\" : \"ne\",\n \"norwayeast\" : \"nwe\",\n \"norwaywest\" : \"nww\",\n \"polandcentral\" : \"plc\",\n \"qatarcentral\" : \"qac\",\n \"southafricanorth\" : \"san\",\n \"southafricawest\" : \"saw\",\n \"southcentralus\" : \"scus\",\n \"southeastasia\" : \"sea\",\n \"southindia\" : \"ins\",\n \"spaincentral\" : \"spc\",\n \"swedencentral\" : \"sdc\",\n \"swedensouth\" : \"sds\",\n \"switzerlandnorth\" : \"szn\",\n \"switzerlandwest\" : \"szw\",\n \"taiwannorth\" : \"twn\",\n \"uaecentral\" : \"uac\",\n \"uaenorth\" : \"uan\",\n \"uksouth\" : \"uks\",\n \"ukwest\" : \"ukw\",\n \"westcentralus\" : \"wcus\",\n \"westeurope\" : \"we\",\n \"westindia\" : \"inw\",\n \"westus\" : \"wus\",\n \"westus2\" : \"wus2\",\n \"westus3\" : \"wus3\"\n },\n \"metadata\": {\n \"displayName\": \"Region Short Name Mapping\",\n \"description\": \"Mapping of region to private DNS zone resource id. If the region is not specified, the default private DNS zone resource id will be used.\"\n }\n },\n \"dnsZoneNames\": {\n \"type\": \"object\",\n \"defaultValue\": {\n \"azureAcrPrivateDnsZoneId\": \"privatelink.azurecr.io\",\n \"azureAcrDataPrivateDnsZoneId\": \"{regionName}.data.privatelink.azurecr.io\",\n \"azureAppPrivateDnsZoneId\": \"privatelink.azconfig.io\",\n \"azureAppServicesPrivateDnsZoneId\": \"privatelink.azurewebsites.net\",\n \"azureArcGuestconfigurationPrivateDnsZoneId\": \"privatelink.guestconfiguration.azure.com\",\n \"azureArcHybridResourceProviderPrivateDnsZoneId\": \"privatelink.his.arc.azure.com\",\n \"azureArcKubernetesConfigurationPrivateDnsZoneId\": \"privatelink.dp.kubernetesconfiguration.azure.com\",\n \"azureAsrPrivateDnsZoneId\": \"privatelink.siterecovery.windowsazure.com\",\n \"azureAutomationDSCHybridPrivateDnsZoneId\": \"privatelink.azure-automation.net\",\n \"azureAutomationWebhookPrivateDnsZoneId\": \"privatelink.azure-automation.net\",\n \"azureBatchPrivateDnsZoneId\": \"privatelink.batch.azure.com\",\n \"azureBotServicePrivateDnsZoneId\": \"privatelink.directline.botframework.com\",\n \"azureCognitiveSearchPrivateDnsZoneId\": \"privatelink.search.windows.net\",\n \"azureCognitiveServicesPrivateDnsZoneId\": \"privatelink.cognitiveservices.azure.com\",\n \"azureCosmosCassandraPrivateDnsZoneId\": \"privatelink.cassandra.cosmos.azure.com\",\n \"azureCosmosGremlinPrivateDnsZoneId\": \"privatelink.gremlin.cosmos.azure.com\",\n \"azureCosmosMongoPrivateDnsZoneId\": \"privatelink.mongo.cosmos.azure.com\",\n \"azureCosmosSQLPrivateDnsZoneId\": \"privatelink.documents.azure.com\",\n \"azureCosmosTablePrivateDnsZoneId\": \"privatelink.table.cosmos.azure.com\",\n \"azureDataExplorerPrivateDnsZoneId\": \"privatelink.{regionName}.kusto.windows.net\",\n \"azureDataFactoryPortalPrivateDnsZoneId\": \"privatelink.adf.azure.com\",\n \"azureDataFactoryPrivateDnsZoneId\": \"privatelink.datafactory.azure.net\",\n \"azureDatabricksPrivateDnsZoneId\": \"privatelink.azuredatabricks.net\",\n \"azureDiskAccessPrivateDnsZoneId\": \"privatelink.blob.core.windows.net\",\n \"azureEventGridDomainsPrivateDnsZoneId\": \"privatelink.eventgrid.azure.net\",\n \"azureEventGridTopicsPrivateDnsZoneId\": \"privatelink.eventgrid.azure.net\",\n \"azureEventHubNamespacePrivateDnsZoneId\": \"privatelink.servicebus.windows.net\",\n \"azureFilePrivateDnsZoneId\": \"privatelink.afs.azure.net\",\n \"azureHDInsightPrivateDnsZoneId\": \"privatelink.azurehdinsight.net\",\n \"azureIotCentralPrivateDnsZoneId\": \"privatelink.azureiotcentral.com\",\n \"azureIotDeviceupdatePrivateDnsZoneId\": \"privatelink.azure-devices.net\",\n \"azureIotHubsPrivateDnsZoneId\": \"privatelink.azure-devices.net\",\n \"azureIotPrivateDnsZoneId\": \"privatelink.azure-devices-provisioning.net\",\n \"azureKeyVaultPrivateDnsZoneId\": \"privatelink.vaultcore.azure.net\",\n \"azureKubernetesManagementPrivateDnsZoneId\": \"privatelink.{regionName}.azmk8s.io\",\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": \"privatelink.api.azureml.ms\",\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": \"privatelink.notebooks.azure.net\",\n \"azureManagedGrafanaWorkspacePrivateDnsZoneId\": \"privatelink.grafana.azure.com\",\n \"azureMediaServicesKeyPrivateDnsZoneId\": \"privatelink.media.azure.net\",\n \"azureMediaServicesLivePrivateDnsZoneId\": \"privatelink.media.azure.net\",\n \"azureMediaServicesStreamPrivateDnsZoneId\": \"privatelink.media.azure.net\",\n \"azureMigratePrivateDnsZoneId\": \"privatelink.prod.migration.windowsazure.com\",\n \"azureMonitorPrivateDnsZoneId1\": \"privatelink.monitor.azure.com\",\n \"azureMonitorPrivateDnsZoneId2\": \"privatelink.oms.opinsights.azure.com\",\n \"azureMonitorPrivateDnsZoneId3\": \"privatelink.ods.opinsights.azure.com\",\n \"azureMonitorPrivateDnsZoneId4\": \"privatelink.agentsvc.azure-automation.net\",\n \"azureMonitorPrivateDnsZoneId5\": \"privatelink.blob.core.windows.net\",\n \"azureRedisCachePrivateDnsZoneId\": \"privatelink.redis.cache.windows.net\",\n \"azureServiceBusNamespacePrivateDnsZoneId\": \"privatelink.servicebus.windows.net\",\n \"azureSignalRPrivateDnsZoneId\": \"privatelink.service.signalr.net\",\n \"azureSiteRecoveryBackupPrivateDnsZoneId\": \"privatelink.{regionCode}.backup.windowsazure.com\",\n \"azureSiteRecoveryBlobPrivateDnsZoneId\": \"privatelink.blob.core.windows.net\",\n \"azureSiteRecoveryQueuePrivateDnsZoneId\": \"privatelink.queue.core.windows.net\",\n \"azureStorageBlobPrivateDnsZoneId\": \"privatelink.blob.core.windows.net\",\n \"azureStorageBlobSecPrivateDnsZoneId\": \"privatelink.blob.core.windows.net\",\n \"azureStorageDFSPrivateDnsZoneId\": \"privatelink.dfs.core.windows.net\",\n \"azureStorageDFSSecPrivateDnsZoneId\": \"privatelink.dfs.core.windows.net\",\n \"azureStorageFilePrivateDnsZoneId\": \"privatelink.file.core.windows.net\",\n \"azureStorageQueuePrivateDnsZoneId\": \"privatelink.queue.core.windows.net\",\n \"azureStorageQueueSecPrivateDnsZoneId\": \"privatelink.queue.core.windows.net\",\n \"azureStorageStaticWebPrivateDnsZoneId\": \"privatelink.web.core.windows.net\",\n \"azureStorageStaticWebSecPrivateDnsZoneId\": \"privatelink.web.core.windows.net\",\n \"azureStorageTablePrivateDnsZoneId\": \"privatelink.table.core.windows.net\",\n \"azureStorageTableSecondaryPrivateDnsZoneId\": \"privatelink.table.core.windows.net\",\n \"azureSynapseDevPrivateDnsZoneId\": \"privatelink.dev.azuresynapse.net\",\n \"azureSynapseSQLPrivateDnsZoneId\": \"privatelink.sql.azuresynapse.net\",\n \"azureSynapseSQLODPrivateDnsZoneId\": \"privatelink.sql.azuresynapse.net\",\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": \"privatelink.wvd.microsoft.com\",\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": \"privatelink.wvd.microsoft.com\",\n \"azureWebPrivateDnsZoneId\": \"privatelink.webpubsub.azure.com\"\n },\n \"metadata\": {\n \"displayName\": \"DNS Zone Names\",\n \"description\": \"The list of private DNS zone names to be used for the Azure PaaS services.\"\n }\n },\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDatabricksPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDatabricksPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureHDInsightPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMigratePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMigratePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueueSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueueSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesKeyPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesKeyPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesLivePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesLivePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesStreamPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesStreamPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBotServicePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBotServicePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureManagedGrafanaWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureManagedGrafanaWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotDeviceupdatePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotDeviceupdatePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcGuestconfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcGuestconfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcHybridResourceProviderPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcHybridResourceProviderPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcKubernetesConfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcKubernetesConfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotCentralPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotCentralPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureFilePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureFilePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAutomationWebhookPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAutomationWebhookPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAutomationDSCHybridPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAutomationDSCHybridPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosSQLPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosSQLPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosMongoPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosMongoPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosCassandraPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosCassandraPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosGremlinPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosGremlinPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosTablePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosTablePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDataFactoryPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDataFactoryPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDataFactoryPortalPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDataFactoryPortalPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-UI-Api\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDatabricksPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDatabricksPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"databricks_ui_api\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-Browser-AuthN\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDatabricksPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDatabricksPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"browser_authentication\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureHDInsightPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureHDInsightPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Migrate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMigratePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMigratePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageBlobPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageBlobPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageBlobSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageBlobSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageQueuePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageQueuePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageQueueSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageQueueSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageFilePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageFilePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageStaticWebPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageStaticWebPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageStaticWebSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageStaticWebSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageDFSPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageDFSPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageDFSSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageDFSSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseSQLPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseSQLPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseSQLODPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseSQLODPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseDevPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseDevPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Key\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesKeyPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesKeyPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"keydelivery\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Live\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesLivePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesLivePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"liveevent\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Stream\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesStreamPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesStreamPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"streamingendpoint\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId1'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId1, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId2'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId2, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId3'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId3, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId4'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId4, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId5'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId5, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureWebPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureWebPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureBatchPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureBatchPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAppPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAppPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAsrPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAsrPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureKeyVaultPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureKeyVaultPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSignalRPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSignalRPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAppServicesPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAppServicesPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventGridTopicsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventGridTopicsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDiskAccessPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDiskAccessPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCognitiveServicesPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCognitiveServicesPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotHubsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotHubsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventGridDomainsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventGridDomainsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureRedisCachePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureRedisCachePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAcrPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAcrPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventHubNamespacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventHubNamespacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMachineLearningWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMachineLearningWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMachineLearningWorkspaceSecondPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureServiceBusNamespacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureServiceBusNamespacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCognitiveSearchPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCognitiveSearchPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-BotService\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6a4e6f44-f2af-4082-9702-033c9e88b9f8\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureBotServicePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureBotServicePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ManagedGrafanaWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4c8537f8-cd1b-49ec-b704-18e82a42fd58\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureManagedGrafanaWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureManagedGrafanaWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureVirtualDesktopHostpoolPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureVirtualDesktopWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTDeviceupdate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotDeviceupdatePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotDeviceupdatePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Arc\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\":{\n \"privateDnsZoneIDForGuestConfiguration\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureArcGuestconfigurationPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureArcGuestconfigurationPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneIDForHybridResourceProvider\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureArcHybridResourceProviderPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureArcHybridResourceProviderPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneIDForKubernetesConfiguration\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureArcKubernetesConfigurationPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureArcKubernetesConfigurationPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTCentral\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d627d7c6-ded5-481a-8f2e-7e16b1e6faf6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotCentralPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotCentralPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageTablePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageTablePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageTableSecondaryPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageTableSecondaryPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSiteRecoveryBackupPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSiteRecoveryBackupPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSiteRecoveryBlobPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSiteRecoveryBlobPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSiteRecoveryQueuePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSiteRecoveryQueuePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#43": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"3.2.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"HealthcareAPIsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\",\n \"description\": \"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n },\n \"AutomationAccountCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"BackupCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"osAndDataDiskCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerInstanceCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"eventHubPremiumCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlManagedCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageTableCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsEncryptionCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageQueueCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"botServiceCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"audit\",\n \"Deny\",\n \"deny\",\n \"Disabled\",\n \"disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HealthcareAPIsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('HealthcareAPIsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationAccountCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671\",\n \"policyDefinitionReferenceId\": \"Deny-Backup-Cmk\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BackupCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0\",\n \"policyDefinitionReferenceId\": \"Deny-OsAndDataDisk-Cmk\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('osAndDataDiskCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Premium-CMK\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubPremiumCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Cmk\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Table-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageTableCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Encryption-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsEncryptionCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Queue-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageQueueCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/51522a96-0869-4791-82f3-981000c2c67f\",\n \"policyDefinitionReferenceId\": \"Deny-BotService-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServiceCmk')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#44": "{\n \"name\": \"Enforce-ACSB\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce Azure Compute Security Benchmark compliance auditing\",\n \"description\": \"Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Guest Configuration\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"includeArcMachines\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"metadata\": {\n \"displayName\": \"Include Arc connected servers\",\n \"description\": \"By selecting this option, you agree to be charged monthly per Arc connected machine.\"\n },\n \"defaultValue\": \"true\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"GcIdentity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da\",\n \"definitionVersion\": \"3.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#45": "{\n \"name\": \"Deploy-MDFC-DefenderSQL-AMA\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Configure SQL VM and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LAW\",\n \"description\": \"Initiative is deprecated as the built-in initiative now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/de01d381-bae9-4670-8870-786f89f49e26.html\",\n \"metadata\": {\n \"version\": \"1.0.1-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"de01d381-bae9-4670-8870-786f89f49e26\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace Resource Id\",\n \"description\": \"Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable collection of SQL queries for security research\",\n \"description\": \"Enable or disable the collection of SQL queries for security research.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"identityResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Identity Resource Group\",\n \"description\": \"The name of the resource group created by the policy.\"\n },\n \"defaultValue\": \"\"\n },\n \"userAssignedIdentityName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User Assigned Managed Identity Name\",\n \"description\": \"The name of the user assigned managed identity.\"\n },\n \"defaultValue\": \"\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3592ff98-9787-443a-af59-4505d0fe0786\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65503269-6a54-4553-8a28-0065a8e6d929\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-Sql-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcDcrAssociation\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"identityResourceGroup\": {\n \"value\": \"[[parameters('identityResourceGroup')]\"\n },\n \"userAssignedIdentityName\": {\n \"value\": \"[[parameters('userAssignedIdentityName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Disabled\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#46": "{\n \"name\": \"Enforce-Backup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce enhanced recovery and backup policies\",\n \"description\": \"Enforce enhanced recovery and backup policies on assigned scopes.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Backup\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"checkLockedImmutabilityOnly\",\n \"description\": \"This parameter checks if Immutability is locked for Backup Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"CheckAlwaysOnSoftDeleteOnly\",\n \"description\": \"This parameter checks if Soft Delete is 'Locked' for Backup Vaults in scope. Selecting 'true' will mark only vaults with Soft Delete 'AlwaysOn' as compliant. Selecting 'false' will mark vaults that have Soft Delete either 'On' or 'AlwaysOn' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2514263b-bc0d-4b06-ac3e-f262c0979018\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabiltyOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6f6f560-14b7-49a4-9fc8-d2c3a9807868\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9798d31d-6028-4dee-8643-46102185c016\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/31b8092a-36b8-434b-9af7-5ec844364148\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c58e083e-7982-4e24-afdc-be14d312389e\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c7031eab-0fc0-4cd9-acd0-4497bd66d91a\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#46": "{\n \"name\": \"Enforce-Backup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce enhanced recovery and backup policies\",\n \"description\": \"Enforce enhanced recovery and backup policies on assigned scopes.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Backup\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"checkLockedImmutabilityOnly\",\n \"description\": \"This parameter checks if Immutability is locked for Backup Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"CheckAlwaysOnSoftDeleteOnly\",\n \"description\": \"This parameter checks if Soft Delete is 'Locked' for Backup Vaults in scope. Selecting 'true' will mark only vaults with Soft Delete 'AlwaysOn' as compliant. Selecting 'false' will mark vaults that have Soft Delete either 'On' or 'AlwaysOn' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2514263b-bc0d-4b06-ac3e-f262c0979018\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabiltyOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6f6f560-14b7-49a4-9fc8-d2c3a9807868\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9798d31d-6028-4dee-8643-46102185c016\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/31b8092a-36b8-434b-9af7-5ec844364148\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c58e083e-7982-4e24-afdc-be14d312389e\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c7031eab-0fc0-4cd9-acd0-4497bd66d91a\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#47": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#48": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#49": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#5": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20241211.html \",\n \"metadata\": {\n \"version\": \"1.2.0-deprecated\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\", \n \"deprecated\": true,\n \"supersededBy\": \"Enforce-EncryptTransit_20241211\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.3\",\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageMinimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"definitionVersion\": \"8.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"definitionVersion\": \"4.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"definitionVersion\": \"5.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#5": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20241211.html \",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\", \n \"deprecated\": true,\n \"supersededBy\": \"Enforce-EncryptTransit_20241211\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.3\",\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageMinimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"definitionVersion\": \"8.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"definitionVersion\": \"4.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"definitionVersion\": \"5.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#50": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-File-Sync\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-Web\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-KeyVault\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#51": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#52": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", @@ -129,9 +129,9 @@ "$fxv#54": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccounts\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#55": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#56": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#6": "{\n \"name\": \"Enforce-EncryptTransit_20241211\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit_20240509\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.3\",\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageMinimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"definitionVersion\": \"8.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"definitionVersion\": \"4.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"definitionVersion\": \"5.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#7": "{\n \"name\": \"Enforce-ALZ-Decomm\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Decommissioned Landing Zone\",\n \"description\": \"Enforce policies in the Decommissioned Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Decommissioned\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [ \n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesAllowed\":{\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Allowed resource types in the Decommissioned landing zone\",\n \"description\": \"Allowed resource types in the Decommissioned landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DecomDenyResources\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"listOfResourceTypesAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DecomShutdownMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }\n ", - "$fxv#8": "{\n \"name\": \"Enforce-ALZ-Sandbox\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Sandbox Landing Zone\",\n \"description\": \"Enforce policies in the Sandbox Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Sandbox\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesNotAllowed\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Not allowed resource types in the Sandbox landing zone\",\n \"description\": \"Not allowed resource types in the Sandbox landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n },\n \"effectNotAllowedResources\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectDenyVnetPeering\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SandboxNotAllowed\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectNotAllowedResources')]\"\n },\n \"listOfResourceTypesNotAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesNotAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SandboxDenyVnetPeering\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDenyVnetPeering')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#6": "{\n \"name\": \"Enforce-EncryptTransit_20241211\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit_20240509\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.3\",\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageMinimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"definitionVersion\": \"8.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"definitionVersion\": \"4.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"definitionVersion\": \"5.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#7": "{\n \"name\": \"Enforce-ALZ-Decomm\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Decommissioned Landing Zone\",\n \"description\": \"Enforce policies in the Decommissioned Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Decommissioned\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [ \n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesAllowed\":{\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Allowed resource types in the Decommissioned landing zone\",\n \"description\": \"Allowed resource types in the Decommissioned landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DecomDenyResources\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"listOfResourceTypesAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DecomShutdownMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }\n ", + "$fxv#8": "{\n \"name\": \"Enforce-ALZ-Sandbox\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2023-04-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Sandbox Landing Zone\",\n \"description\": \"Enforce policies in the Sandbox Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Sandbox\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesNotAllowed\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Not allowed resource types in the Sandbox landing zone\",\n \"description\": \"Not allowed resource types in the Sandbox landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n },\n \"effectNotAllowedResources\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectDenyVnetPeering\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SandboxNotAllowed\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectNotAllowedResources')]\"\n },\n \"listOfResourceTypesNotAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesNotAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SandboxDenyVnetPeering\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDenyVnetPeering')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#9": "{\n \"name\": \"DenyAction-DeleteProtection\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"DenyAction Delete - Activity Log Settings and Diagnostic Settings\",\n \"description\": \"Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-DiagnosticSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-ActivityLogSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "cloudEnv": "[environment().name]", "defaultDeploymentLocationByCloudType": { diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json index 234ae14a6f..ff3bb5a531 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.31.34.60546", - "templateHash": "17509495146756258439" + "version": "0.32.4.45862", + "templateHash": "15566551260111292640" } }, "parameters": { @@ -81,8 +81,8 @@ "$fxv#10": "{\n \"name\": \"Audit-Tags-Mandatory-Rg\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Audit for mandatory tags on resource groups\",\n \"mode\": \"Indexed\",\n \"description\": \"Audits resource groups to ensure they have required tags based on tag array.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Tags\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"mandatoryTags\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Array of mandatory tags\",\n \"description\": \"Array of mandatory tags that must be present on the resource group. The array should contain semicolon separated list of the tag names.\"\n },\n \"defaultValue\": [\n \"owner\",\n \"costcenter\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions/resourceGroups\"\n },\n {\n \"anyOf\": [\n {\n \"not\": {\n \"count\": {\n \"value\": \"[[parameters('mandatoryTags')]\",\n \"name\": \"tagcount\",\n \"where\": {\n \"field\": \"tags\",\n \"containsKey\": \"[[current('tagcount')]\"\n }\n },\n \"equals\": \"[[length(parameters('mandatoryTags'))]\"\n }\n },\n {\n \"not\": {\n \"count\": {\n \"value\": \"[[parameters('mandatoryTags')]\",\n \"name\": \"tagnullcount\",\n \"where\": {\n \"value\": \"[[resourceGroup().tags[current('tagnullcount')]]\",\n \"notMatch\": \"\"\n }\n },\n \"equals\": \"[[length(parameters('mandatoryTags'))]\"\n }\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n}", "$fxv#100": "{\n \"name\": \"Deploy-Sql-SecurityAlertPolicies\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\",\n \"metadata\": {\n \"version\": \"1.1.1\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"emailAddresses\":{\n \"type\":\"Array\",\n \"defaultValue\":[\n \"admin@contoso.com\",\n \"admin@fabrikam.com\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers/databases\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/servers/databases/securityAlertPolicies\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Sql/servers/databases/securityAlertPolicies/state\",\n \"equals\": \"Enabled\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"String\"\n },\n \"sqlServerName\": {\n \"type\": \"String\"\n },\n \"sqlServerDataBaseName\": {\n \"type\": \"String\"\n },\n \"emailAddresses\": {\n \"type\": \"Array\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\n \"type\": \"Microsoft.Sql/servers/databases/securityAlertPolicies\",\n \"apiVersion\": \"2018-06-01-preview\",\n \"properties\": {\n \"state\": \"Enabled\",\n \"disabledAlerts\": [\n \"\"\n ],\n \"emailAddresses\": \"[[parameters('emailAddresses')]\",\n \"emailAccountAdmins\": true,\n \"storageEndpoint\": null,\n \"storageAccountAccessKey\": \"\",\n \"retentionDays\": 0\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"sqlServerName\": {\n \"value\": \"[[first(split(field('fullname'),'/'))]\"\n },\n \"sqlServerDataBaseName\": {\n \"value\": \"[[field('name')]\"\n },\n \"emailAddresses\":{\n \"value\": \"[[parameters('emailAddresses')]\"\n }\n }\n }\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"\n ]\n }\n }\n }\n }\n}\n", "$fxv#101": "{\n \"name\": \"Deploy-Sql-Tde\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated] Deploy SQL Database Transparent Data Encryption\",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment. Please use this policy instead https://www.azadvertizer.net/azpolicyadvertizer/86a912f6-9a06-4e26-b447-11b16ba8659f.html\",\n \"metadata\": {\n \"deprecated\": true,\n \"supersededBy\": \"86a912f6-9a06-4e26-b447-11b16ba8659f\",\n \"version\": \"1.1.1-deprecated\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"excludedDatabases\": {\n \"type\": \"Array\",\n \"metadata\":{\n \"displayName\": \"Excluded Databases\",\n \"description\": \"Array of databases that are excluded from this policy\"\n },\n \"defaultValue\": [\n \"master\",\n \"model\",\n \"tempdb\",\n \"msdb\",\n \"resource\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers/databases\"\n },\n {\n \"field\": \"name\",\n \"notIn\": \"[[parameters('excludedDatabases')]\"\n\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/servers/databases/transparentDataEncryption\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Sql/transparentDataEncryption.status\",\n \"equals\": \"Enabled\"\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"String\"\n },\n \"sqlServerName\": {\n \"type\": \"String\"\n },\n \"sqlServerDataBaseName\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/current')]\",\n \"type\": \"Microsoft.Sql/servers/databases/transparentDataEncryption\",\n \"apiVersion\": \"2014-04-01\",\n \"properties\": {\n \"status\": \"Enabled\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"sqlServerName\": {\n \"value\": \"[[first(split(field('fullname'),'/'))]\"\n },\n \"sqlServerDataBaseName\": {\n \"value\": \"[[field('name')]\"\n }\n }\n }\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"\n ]\n }\n }\n }\n }\n}", - "$fxv#102": "{\n \"name\": \"Deploy-Sql-vulnerabilityAssessments\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments_20230706.html\",\n \"metadata\": {\n \"version\": \"1.0.1-deprecated\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-Sql-vulnerabilityAssessments_20230706\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"type\": \"String\",\n \"metadata\": {\n \"description\": \"The email address to send alerts. For multiple emails, format in the following 'email1@contoso.com;email2@contoso.com'\",\n \"displayName\": \"The email address to send alerts. For multiple emails, format in the following 'email1@contoso.com;email2@contoso.com'\"\n }\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"type\": \"String\",\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers/databases\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails\",\n \"equals\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n {\n \"field\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.isEnabled\",\n \"equals\": true\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"String\"\n },\n \"sqlServerName\": {\n \"type\": \"String\"\n },\n \"sqlServerDataBaseName\": {\n \"type\": \"String\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"type\": \"String\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\n \"type\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments\",\n \"apiVersion\": \"2017-03-01-preview\",\n \"properties\": {\n \"storageContainerPath\": \"[[concat('https://', last( split(parameters('vulnerabilityAssessmentsStorageID') , '/') ) , '.blob.core.windows.net/vulneraabilitylogs')]\",\n \"storageAccountAccessKey\": \"[[listkeys(parameters('vulnerabilityAssessmentsStorageID'), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]\",\n \"recurringScans\": {\n \"isEnabled\": true,\n \"emailSubscriptionAdmins\": false,\n \"emails\": [\n \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n ]\n }\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"sqlServerName\": {\n \"value\": \"[[first(split(field('fullname'),'/'))]\"\n },\n \"sqlServerDataBaseName\": {\n \"value\": \"[[field('name')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n }\n }\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\",\n \"/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\"\n ]\n }\n }\n }\n }\n}\n", - "$fxv#103": "{\n \"name\": \"Deploy-Sql-vulnerabilityAssessments_20230706\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy SQL Database Vulnerability Assessments\",\n \"description\": \"Deploy SQL Database Vulnerability Assessments when it does not exist in the deployment, and save results to the storage account specified in the parameters.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-Sql-vulnerabilityAssessments\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"description\": \"The email address(es) to send alerts.\",\n \"displayName\": \"The email address(es) to send alerts.\"\n }\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"type\": \"String\",\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers/databases\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"count\": {\n \"field\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails[*]\",\n \"where\": {\n \"value\": \"current(Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails[*])\",\n \"notIn\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n }\n },\n \"greater\": 0\n },\n {\n \"field\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.isEnabled\",\n \"equals\": true\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"String\"\n },\n \"sqlServerName\": {\n \"type\": \"String\"\n },\n \"sqlServerDataBaseName\": {\n \"type\": \"String\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"type\": \"Array\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\n \"type\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments\",\n \"apiVersion\": \"2017-03-01-preview\",\n \"properties\": {\n \"storageContainerPath\": \"[[concat('https://', last( split(parameters('vulnerabilityAssessmentsStorageID') , '/') ) , '.blob.core.windows.net/vulneraabilitylogs')]\",\n \"storageAccountAccessKey\": \"[[listkeys(parameters('vulnerabilityAssessmentsStorageID'), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]\",\n \"recurringScans\": {\n \"isEnabled\": true,\n \"emailSubscriptionAdmins\": false,\n \"emails\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n }\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"sqlServerName\": {\n \"value\": \"[[first(split(field('fullname'),'/'))]\"\n },\n \"sqlServerDataBaseName\": {\n \"value\": \"[[field('name')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n }\n }\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\",\n \"/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\"\n ]\n }\n }\n }\n }\n}\n", + "$fxv#102": "{\n \"name\": \"Deploy-Sql-vulnerabilityAssessments\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"[Deprecated]: Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments_20230706.html\",\n \"metadata\": {\n \"version\": \"1.0.1-deprecated\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-Sql-vulnerabilityAssessments_20230706\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"type\": \"String\",\n \"metadata\": {\n \"description\": \"The email address to send alerts. For multiple emails, format in the following 'email1@contoso.com;email2@contoso.com'\",\n \"displayName\": \"The email address to send alerts. For multiple emails, format in the following 'email1@contoso.com;email2@contoso.com'\"\n }\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"type\": \"String\",\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\",\n \"assignPermissions\": true\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers/databases\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails\",\n \"equals\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n {\n \"field\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.isEnabled\",\n \"equals\": true\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"String\"\n },\n \"sqlServerName\": {\n \"type\": \"String\"\n },\n \"sqlServerDataBaseName\": {\n \"type\": \"String\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"type\": \"String\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\n \"type\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments\",\n \"apiVersion\": \"2017-03-01-preview\",\n \"properties\": {\n \"storageContainerPath\": \"[[concat('https://', last( split(parameters('vulnerabilityAssessmentsStorageID') , '/') ) , '.blob.core.windows.net/vulneraabilitylogs')]\",\n \"storageAccountAccessKey\": \"[[listkeys(parameters('vulnerabilityAssessmentsStorageID'), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]\",\n \"recurringScans\": {\n \"isEnabled\": true,\n \"emailSubscriptionAdmins\": false,\n \"emails\": [\n \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n ]\n }\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"sqlServerName\": {\n \"value\": \"[[first(split(field('fullname'),'/'))]\"\n },\n \"sqlServerDataBaseName\": {\n \"value\": \"[[field('name')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n }\n }\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\",\n \"/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\"\n ]\n }\n }\n }\n }\n}\n", + "$fxv#103": "{\n \"name\": \"Deploy-Sql-vulnerabilityAssessments_20230706\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy SQL Database Vulnerability Assessments\",\n \"description\": \"Deploy SQL Database Vulnerability Assessments when it does not exist in the deployment, and save results to the storage account specified in the parameters.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-Sql-vulnerabilityAssessments\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"description\": \"The email address(es) to send alerts.\",\n \"displayName\": \"The email address(es) to send alerts.\"\n }\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"type\": \"String\",\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\",\n \"assignPermissions\": true\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/servers/databases\"\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"count\": {\n \"field\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails[*]\",\n \"where\": {\n \"value\": \"current(Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails[*])\",\n \"notIn\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n }\n },\n \"greater\": 0\n },\n {\n \"field\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.isEnabled\",\n \"equals\": true\n }\n ]\n },\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"location\": {\n \"type\": \"String\"\n },\n \"sqlServerName\": {\n \"type\": \"String\"\n },\n \"sqlServerDataBaseName\": {\n \"type\": \"String\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"type\": \"Array\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"name\": \"[[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]\",\n \"type\": \"Microsoft.Sql/servers/databases/vulnerabilityAssessments\",\n \"apiVersion\": \"2017-03-01-preview\",\n \"properties\": {\n \"storageContainerPath\": \"[[concat('https://', last( split(parameters('vulnerabilityAssessmentsStorageID') , '/') ) , '.blob.core.windows.net/vulneraabilitylogs')]\",\n \"storageAccountAccessKey\": \"[[listkeys(parameters('vulnerabilityAssessmentsStorageID'), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]\",\n \"recurringScans\": {\n \"isEnabled\": true,\n \"emailSubscriptionAdmins\": false,\n \"emails\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n }\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"location\": {\n \"value\": \"[[field('location')]\"\n },\n \"sqlServerName\": {\n \"value\": \"[[first(split(field('fullname'),'/'))]\"\n },\n \"sqlServerDataBaseName\": {\n \"value\": \"[[field('name')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n }\n }\n },\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\",\n \"/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n \"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\"\n ]\n }\n }\n }\n }\n}\n", "$fxv#104": "{\n \"name\": \"Deploy-SqlMi-minTLS\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"SQL managed instances deploy a specific min TLS version requirement.\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.3.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect SQL servers\",\n \"description\": \"Enable or disable the execution of the policy minimum TLS version SQL servers\"\n }\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version for SQL server\",\n \"description\": \"Select version minimum TLS version SQL servers to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Sql/managedInstances\"\n },\n {\n \"field\": \"Microsoft.Sql/managedInstances/minimalTlsVersion\",\n \"less\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Sql/managedInstances\",\n \"evaluationDelay\": \"AfterProvisioningSuccess\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Sql/managedInstances/minimalTlsVersion\",\n \"equals\": \"[[parameters('minimalTlsVersion')]\"\n }\n ]\n },\n \"name\": \"current\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"minimalTlsVersion\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Sql/managedInstances\",\n \"apiVersion\": \"2020-02-02-preview\",\n \"name\": \"[[concat(parameters('resourceName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"minimalTlsVersion\": \"[[parameters('minimalTlsVersion')]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('minimalTlsVersion')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", "$fxv#105": "{\n \"name\": \"Deploy-Storage-sslEnforcement\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS \",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage.\",\n \"metadata\": {\n \"version\": \"1.3.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect Azure Storage\",\n \"description\": \"Enable or disable the execution of the policy minimum TLS version Azure STorage\"\n }\n },\n \"minimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select TLS version for Azure Storage server\",\n \"description\": \"Select version minimum TLS version Azure STorage to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\",\n \"notEquals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\n \"less\": \"[[parameters('minimumTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Storage/storageAccounts\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\",\n \"equals\": \"true\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/minimumTlsVersion\",\n \"equals\": \"[[parameters('minimumTlsVersion')]\"\n }\n ]\n },\n \"name\": \"current\",\n \"roleDefinitionIds\": [\n \"/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"resourceName\": {\n \"type\": \"String\"\n },\n \"minimumTlsVersion\": {\n \"type\": \"String\"\n },\n \"location\": {\n \"type\": \"String\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Storage/storageAccounts\",\n \"apiVersion\": \"2019-06-01\",\n \"name\": \"[[concat(parameters('resourceName'))]\",\n \"location\": \"[[parameters('location')]\",\n \"properties\": {\n \"supportsHttpsTrafficOnly\": true,\n \"minimumTlsVersion\": \"[[parameters('minimumTlsVersion')]\"\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"resourceName\": {\n \"value\": \"[[field('name')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('minimumTlsVersion')]\"\n },\n \"location\": {\n \"value\": \"[[field('location')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", "$fxv#106": "{\n \"name\": \"Deploy-VNET-HubSpoke\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy Virtual Network with peering to the hub\",\n \"description\": \"This policy deploys virtual network and peer to the hub\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vNetName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"vNetName\",\n \"description\": \"Name of the landing zone vNet\"\n }\n },\n \"vNetRgName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"vNetRgName\",\n \"description\": \"Name of the landing zone vNet RG\"\n }\n },\n \"vNetLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"vNetLocation\",\n \"description\": \"Location for the vNet\"\n }\n },\n \"vNetCidrRange\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"vNetCidrRange\",\n \"description\": \"CIDR Range for the vNet\"\n }\n },\n \"hubResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"hubResourceId\",\n \"description\": \"Resource ID for the HUB vNet\"\n }\n },\n \"dnsServers\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"DNSServers\",\n \"description\": \"Default domain servers for the vNET.\"\n },\n \"defaultValue\": []\n },\n \"vNetPeerUseRemoteGateway\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"vNetPeerUseRemoteGateway\",\n \"description\": \"Enable gateway transit for the LZ network\"\n },\n \"defaultValue\": false\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"deployIfNotExists\",\n \"details\": {\n \"type\": \"Microsoft.Network/virtualNetworks\",\n \"name\": \"[[parameters('vNetName')]\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"resourceGroup\",\n \"ResourceGroupName\": \"[[parameters('vNetRgName')]\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"name\",\n \"like\": \"[[parameters('vNetName')]\"\n },\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('vNetLocation')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"vNetRgName\": {\n \"value\": \"[[parameters('vNetRgName')]\"\n },\n \"vNetName\": {\n \"value\": \"[[parameters('vNetName')]\"\n },\n \"vNetLocation\": {\n \"value\": \"[[parameters('vNetLocation')]\"\n },\n \"vNetCidrRange\": {\n \"value\": \"[[parameters('vNetCidrRange')]\"\n },\n \"hubResourceId\": {\n \"value\": \"[[parameters('hubResourceId')]\"\n },\n \"dnsServers\": {\n \"value\": \"[[parameters('dnsServers')]\"\n },\n \"vNetPeerUseRemoteGateway\": {\n \"value\": \"[[parameters('vNetPeerUseRemoteGateway')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"vNetRgName\": {\n \"type\": \"String\"\n },\n \"vNetName\": {\n \"type\": \"String\"\n },\n \"vNetLocation\": {\n \"type\": \"String\"\n },\n \"vNetCidrRange\": {\n \"type\": \"String\"\n },\n \"vNetPeerUseRemoteGateway\": {\n \"type\": \"bool\",\n \"defaultValue\": false\n },\n \"hubResourceId\": {\n \"type\": \"String\"\n },\n \"dnsServers\": {\n \"type\": \"Array\",\n \"defaultValue\": []\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"[[concat('alz-vnet-rg-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]\",\n \"location\": \"[[parameters('vNetLocation')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {},\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"[[parameters('vNetRgName')]\",\n \"location\": \"[[parameters('vNetLocation')]\",\n \"properties\": {}\n }\n ],\n \"outputs\": {}\n }\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"[[concat('alz-vnet-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]\",\n \"dependsOn\": [\n \"[[concat('alz-vnet-rg-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {},\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/virtualNetworks\",\n \"apiVersion\": \"2021-02-01\",\n \"name\": \"[[parameters('vNetName')]\",\n \"location\": \"[[parameters('vNetLocation')]\",\n \"dependsOn\": [],\n \"properties\": {\n \"addressSpace\": {\n \"addressPrefixes\": [\n \"[[parameters('vNetCidrRange')]\"\n ]\n },\n \"dhcpOptions\": {\n \"dnsServers\": \"[[parameters('dnsServers')]\"\n }\n }\n },\n {\n \"type\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\",\n \"apiVersion\": \"2021-02-01\",\n \"name\": \"[[concat(parameters('vNetName'), '/peerToHub')]\",\n \"dependsOn\": [\n \"[[parameters('vNetName')]\"\n ],\n \"properties\": {\n \"remoteVirtualNetwork\": {\n \"id\": \"[[parameters('hubResourceId')]\"\n },\n \"allowVirtualNetworkAccess\": true,\n \"allowForwardedTraffic\": true,\n \"allowGatewayTransit\": false,\n \"useRemoteGateways\": \"[[parameters('vNetPeerUseRemoteGateway')]\"\n }\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"[[concat('alz-hub-peering-', parameters('vNetLocation'), '-', substring(uniqueString(subscription().id),0,6))]\",\n \"subscriptionId\": \"[[split(parameters('hubResourceId'),'/')[2]]\",\n \"resourceGroup\": \"[[split(parameters('hubResourceId'),'/')[4]]\",\n \"dependsOn\": [\n \"[[parameters('vNetName')]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"expressionEvaluationOptions\": {\n \"scope\": \"inner\"\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"remoteVirtualNetwork\": {\n \"type\": \"String\",\n \"defaultValue\": false\n },\n \"hubName\": {\n \"type\": \"String\",\n \"defaultValue\": false\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/virtualNetworks/virtualNetworkPeerings\",\n \"name\": \"[[[concat(parameters('hubName'),'/',last(split(parameters('remoteVirtualNetwork'),'/')))]\",\n \"apiVersion\": \"2021-02-01\",\n \"properties\": {\n \"allowVirtualNetworkAccess\": true,\n \"allowForwardedTraffic\": true,\n \"allowGatewayTransit\": true,\n \"useRemoteGateways\": false,\n \"remoteVirtualNetwork\": {\n \"id\": \"[[[parameters('remoteVirtualNetwork')]\"\n }\n }\n }\n ],\n \"outputs\": {}\n },\n \"parameters\": {\n \"remoteVirtualNetwork\": {\n \"value\": \"[[concat(subscription().id,'/resourceGroups/',parameters('vNetRgName'), '/providers/','Microsoft.Network/virtualNetworks/', parameters('vNetName'))]\"\n },\n \"hubName\": {\n \"value\": \"[[split(parameters('hubResourceId'),'/')[8]]\"\n }\n }\n }\n }\n ],\n \"outputs\": {}\n }\n },\n \"resourceGroup\": \"[[parameters('vNetRgName')]\"\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config_20240319.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config_20240319.json index e41c91ec44..8213177ed3 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config_20240319.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config_20240319.json @@ -1,7 +1,7 @@ { "name": "Deploy-MDFC-Config_20240319", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.json index 3cef615d12..64776e7821 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.json @@ -1,7 +1,7 @@ { "name": "Deploy-Private-DNS-Zones", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security_20240529.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security_20240529.json index 4b27561c57..35c0d42a86 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security_20240529.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security_20240529.json @@ -1,7 +1,7 @@ { "name": "Deploy-Sql-Security_20240529", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB.json index 8d3406614b..59b74c57f5 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB.json @@ -1,7 +1,7 @@ { "name": "Enforce-ACSB", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json index 536bda1e22..81e076dcb1 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json @@ -1,7 +1,7 @@ { "name": "Enforce-ALZ-Decomm", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox.json index 56df9b97ac..68bfbcaf2c 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox.json @@ -1,7 +1,7 @@ { "name": "Enforce-ALZ-Sandbox", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Backup.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Backup.json index 3c4c40a709..a6292911d2 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Backup.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Backup.json @@ -1,7 +1,7 @@ { "name": "Enforce-Backup", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json index 72d558b49b..87035d952a 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json @@ -8,7 +8,7 @@ "displayName": "[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20241211.html ", "metadata": { - "version": "1.2.0-deprecated", + "version": "1.0.0-deprecated", "category": "Encryption", "source": "https://github.com/Azure/Enterprise-Scale/", "replacesPolicy": "Enforce-EncryptTransit", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20241211.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20241211.json index 55e1b8c2b8..937d30722b 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20241211.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20241211.json @@ -1,7 +1,7 @@ { "name": "Enforce-EncryptTransit_20241211", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.json index 03e5c702c1..003f159baf 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.json @@ -1,7 +1,7 @@ { "name": "Enforce-Encryption-CMK", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-APIM.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-APIM.json index e868638e72..b0f0ba26dc 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-APIM.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-APIM.json @@ -1,7 +1,7 @@ { "name": "Enforce-Guardrails-APIM", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-AppServices.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-AppServices.json index ac475138fc..44bd1adc39 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-AppServices.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-AppServices.json @@ -1,7 +1,7 @@ { "name": "Enforce-Guardrails-AppServices", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.json index 86c0db18cb..602cb2d2f0 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.json @@ -1,7 +1,7 @@ { "name": "Enforce-Guardrails-Automation", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-BotService.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-BotService.json index 91d7aa44fc..aed09b1d48 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-BotService.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-BotService.json @@ -1,7 +1,7 @@ { "name": "Enforce-Guardrails-BotService", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CognitiveServices.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CognitiveServices.json index 872f72a090..b57bfb49d4 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CognitiveServices.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CognitiveServices.json @@ -1,7 +1,7 @@ { "name": "Enforce-Guardrails-CognitiveServices", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Compute.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Compute.json index 5a34c0dfe2..35c5b66025 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Compute.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Compute.json @@ -1,7 +1,7 @@ { "name": "Enforce-Guardrails-Compute", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.json index d02647880d..a1e3c4fbbc 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.json @@ -1,7 +1,7 @@ { "name": "Enforce-Guardrails-ContainerApps", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerInstance.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerInstance.json index 4b77267b64..e2ddfc4af7 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerInstance.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerInstance.json @@ -1,7 +1,7 @@ { "name": "Enforce-Guardrails-ContainerInstance", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerRegistry.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerRegistry.json index be1bc75d92..1cdcd26a1f 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerRegistry.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerRegistry.json @@ -1,7 +1,7 @@ { "name": "Enforce-Guardrails-ContainerRegistry", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.json index b5a8990fc1..473ca11a33 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.json @@ -1,7 +1,7 @@ { "name": "Enforce-Guardrails-CosmosDb", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataExplorer.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataExplorer.json index 2e058c5dc3..9958d76cca 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataExplorer.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataExplorer.json @@ -1,7 +1,7 @@ { "name": "Enforce-Guardrails-DataExplorer", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataFactory.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataFactory.json index 139b42cbeb..44ba02981e 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataFactory.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataFactory.json @@ -1,7 +1,7 @@ { "name": "Enforce-Guardrails-DataFactory", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventGrid.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventGrid.json index 874f523183..ee1e6ce6cc 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventGrid.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventGrid.json @@ -1,7 +1,7 @@ { "name": "Enforce-Guardrails-EventGrid", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventHub.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventHub.json index 63e2d2d627..b72ffea21e 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventHub.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventHub.json @@ -1,7 +1,7 @@ { "name": "Enforce-Guardrails-EventHub", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.json index 80f674ccf5..c5b8330fad 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.json @@ -1,7 +1,7 @@ { "name": "Enforce-Guardrails-KeyVault-Sup", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.json index 8b68f17728..9d4fb93156 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.json @@ -1,7 +1,7 @@ { "name": "Enforce-Guardrails-KeyVault", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Kubernetes.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Kubernetes.json index c1617dbb00..a49c23e8af 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Kubernetes.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Kubernetes.json @@ -1,7 +1,7 @@ { "name": "Enforce-Guardrails-Kubernetes", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MachineLearning.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MachineLearning.json index b0ea706aa0..5ba4b64489 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MachineLearning.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MachineLearning.json @@ -1,7 +1,7 @@ { "name": "Enforce-Guardrails-MachineLearning", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.json index 9a6d495303..d497cd4b22 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.json @@ -1,7 +1,7 @@ { "name": "Enforce-Guardrails-MySQL", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json index 759150d4a8..10c4802726 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json @@ -1,7 +1,7 @@ { "name": "Enforce-Guardrails-Network", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-OpenAI.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-OpenAI.json index 5e4a1a811b..3da6d5e0b4 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-OpenAI.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-OpenAI.json @@ -1,7 +1,7 @@ { "name": "Enforce-Guardrails-OpenAI", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-PostgreSQL.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-PostgreSQL.json index 8c12837c6c..a42d7f2403 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-PostgreSQL.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-PostgreSQL.json @@ -1,7 +1,7 @@ { "name": "Enforce-Guardrails-PostgreSQL", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-SQL.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-SQL.json index eb60f036e0..e20901af19 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-SQL.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-SQL.json @@ -1,7 +1,7 @@ { "name": "Enforce-Guardrails-SQL", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ServiceBus.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ServiceBus.json index 2e4e849e38..02ad6bc820 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ServiceBus.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ServiceBus.json @@ -1,7 +1,7 @@ { "name": "Enforce-Guardrails-ServiceBus", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.json index a50e26bfbe..806e0ccb0c 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.json @@ -1,7 +1,7 @@ { "name": "Enforce-Guardrails-Storage", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Synapse.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Synapse.json index d47fcaa61c..d96e65737e 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Synapse.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Synapse.json @@ -1,7 +1,7 @@ { "name": "Enforce-Guardrails-Synapse", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-VirtualDesktop.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-VirtualDesktop.json index 2d64b91b18..3fdd083d8c 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-VirtualDesktop.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-VirtualDesktop.json @@ -1,7 +1,7 @@ { "name": "Enforce-Guardrails-VirtualDesktop", "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2021-06-01", + "apiVersion": "2023-04-01", "scope": null, "properties": { "policyType": "Custom", diff --git a/workloads/README.md b/workloads/README.md index ad17944587..f18dfe695d 100644 --- a/workloads/README.md +++ b/workloads/README.md @@ -1,3 +1,3 @@ # ARM templates and Bicep files for compliant workload deployments -Please head to [Deploy Azure landing zones in the Azure Archtiecture Center](https://aka.ms/alz/aac) for more information. +Please head to [Deploy Azure landing zones in the Azure Architecture Center](https://aka.ms/alz/aac) or [Azure Verified Modules](https://aka.ms/avm) for more information. From 7ea9b3626a6ff2c6cd10cc05d73ca9588d256368 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Thu, 23 Jan 2025 18:17:16 +0400 Subject: [PATCH 16/18] Updating MG API version (#1894) --- docs/wiki/Whats-new.md | 1 + .../mgmtGroupStructure/mgmtGroups.json | 14 +++++++------- .../mgmtGroupStructure/mgmtGroupsLite.json | 12 ++++++------ 3 files changed, 14 insertions(+), 13 deletions(-) diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index 7e68ccb818..6c83b34036 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -66,6 +66,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: - Removed duplicate policy assignment "Container Apps should only be accessible over HTTPS" from initiative [Enforce-EncryptTransit_20241211](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_2024.html). Note, this is a breaking change, and existing assignments should be removed and re-assigned. - Added new custom policies [Audit-Tags-Mandatory](https://www.azadvertizer.net/azpolicyadvertizer/Audit-Tags-Mandatory.html) and [Audit-Tags-Mandatory-Rg](https://www.azadvertizer.net/azpolicyadvertizer/Audit-Tags-Mandatory-Rg.html) to support auditing for the existence of mandatory tags (based on an array of tags). Not assigned by default. - Updated the Workload Specific Compliance initiative section in the portal accelerator to allow configuring `Audit Only` effect for workloads using the `DoNotEnforce` enforcement mode. +- Updated the Management Group creation template to use the latest API version `2023-04-01`. ### December 2024 diff --git a/eslzArm/managementGroupTemplates/mgmtGroupStructure/mgmtGroups.json b/eslzArm/managementGroupTemplates/mgmtGroupStructure/mgmtGroups.json index 37231a5fb1..612fc7adc5 100644 --- a/eslzArm/managementGroupTemplates/mgmtGroupStructure/mgmtGroups.json +++ b/eslzArm/managementGroupTemplates/mgmtGroupStructure/mgmtGroups.json @@ -43,14 +43,14 @@ // Create top level management group under tenant root "type": "Microsoft.Management/managementGroups", "scope": "/", - "apiVersion": "2020-05-01", + "apiVersion": "2023-04-01", "name": "[parameters('topLevelManagementGroupPrefix')]", "properties": {} }, { // Create management group for platform management groups "type": "Microsoft.Management/managementGroups", - "apiVersion": "2020-05-01", + "apiVersion": "2023-04-01", "scope": "/", "name": "[variables('enterpriseScaleManagementGroups').platform]", "dependsOn": [ @@ -68,7 +68,7 @@ { // Create management group for landing zones "type": "Microsoft.Management/managementGroups", - "apiVersion": "2020-05-01", + "apiVersion": "2023-04-01", "scope": "/", "name": "[variables('enterpriseScaleManagementGroups').landingZone]", "dependsOn": [ @@ -86,7 +86,7 @@ { // Create management group for sandbox subscriptions "type": "Microsoft.Management/managementGroups", - "apiVersion": "2020-05-01", + "apiVersion": "2023-04-01", "scope": "/", "name": "[variables('enterpriseScaleManagementGroups').sandboxes]", "dependsOn": [ @@ -104,7 +104,7 @@ { // Create management group for decommissioned subscriptions "type": "Microsoft.Management/managementGroups", - "apiVersion": "2020-05-01", + "apiVersion": "2023-04-01", "scope": "/", "name": "[variables('enterpriseScaleManagementGroups').decommissioned]", "dependsOn": [ @@ -123,7 +123,7 @@ // Create child management groups for platform resources "condition": "[not(empty(parameters('platformMgs')))]", "type": "Microsoft.Management/managementGroups", - "apiVersion": "2020-05-01", + "apiVersion": "2023-04-01", "scope": "/", "name": "[concat(parameters('topLevelManagementGroupPrefix'), '-', parameters('platformMgs')[copyIndex()])]", "dependsOn": [ @@ -146,7 +146,7 @@ // Create child management groups for landing zones "condition": "[not(empty(parameters('landingZoneMgs')))]", "type": "Microsoft.Management/managementGroups", - "apiVersion": "2020-05-01", + "apiVersion": "2023-04-01", "scope": "/", "name": "[concat(parameters('topLevelManagementGroupPrefix'), '-', parameters('landingZoneMgs')[copyIndex()])]", "dependsOn": [ diff --git a/eslzArm/managementGroupTemplates/mgmtGroupStructure/mgmtGroupsLite.json b/eslzArm/managementGroupTemplates/mgmtGroupStructure/mgmtGroupsLite.json index ed5291c94f..7d3c2b050e 100644 --- a/eslzArm/managementGroupTemplates/mgmtGroupStructure/mgmtGroupsLite.json +++ b/eslzArm/managementGroupTemplates/mgmtGroupStructure/mgmtGroupsLite.json @@ -31,14 +31,14 @@ { // Create top level management group under tenant root "type": "Microsoft.Management/managementGroups", - "apiVersion": "2020-05-01", + "apiVersion": "2023-04-01", "name": "[parameters('topLevelManagementGroupPrefix')]", "properties": {} }, { // Create management group for platform management groups "type": "Microsoft.Management/managementGroups", - "apiVersion": "2020-05-01", + "apiVersion": "2023-04-01", "name": "[variables('enterpriseScaleManagementGroups').platform]", "dependsOn": [ "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]" @@ -55,7 +55,7 @@ { // Create management group for landing zones "type": "Microsoft.Management/managementGroups", - "apiVersion": "2020-05-01", + "apiVersion": "2023-04-01", "name": "[variables('enterpriseScaleManagementGroups').landingZone]", "dependsOn": [ "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]" @@ -72,7 +72,7 @@ { // Create management group for sandbox subscriptions "type": "Microsoft.Management/managementGroups", - "apiVersion": "2020-05-01", + "apiVersion": "2023-04-01", "name": "[variables('enterpriseScaleManagementGroups').sandboxes]", "dependsOn": [ "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]" @@ -89,7 +89,7 @@ { // Create management group for decommissioned subscriptions "type": "Microsoft.Management/managementGroups", - "apiVersion": "2020-05-01", + "apiVersion": "2023-04-01", "name": "[variables('enterpriseScaleManagementGroups').decommissioned]", "dependsOn": [ "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]" @@ -107,7 +107,7 @@ // Create child management groups for landing zones "condition": "[not(empty(parameters('landingZoneMgs')))]", "type": "Microsoft.Management/managementGroups", - "apiVersion": "2020-05-01", + "apiVersion": "2023-04-01", "name": "[concat(parameters('topLevelManagementGroupPrefix'), '-', parameters('landingZoneMgs')[copyIndex()])]", "dependsOn": [ "[tenantResourceId('Microsoft.Management/managementGroups/', variables('enterpriseScaleManagementGroups').landingZone)]" From ad1bbe43d271ce7067295a084e810481ddd95bd5 Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 24 Jan 2025 16:20:03 +0400 Subject: [PATCH 17/18] ES Lite Prereqs and AVNM support (#1896) --- eslzArm/eslzArm.json | 109 ++++++++++++++++++ eslzArm/subscriptionTemplates/avnmPolicy.json | 14 +++ 2 files changed, 123 insertions(+) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 45029343a7..ea33d10548 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -1991,6 +1991,8 @@ "vnetConnectivityRouteTableDeploymentName": "[take(concat('alz-HubRoute', variables('deploymentSuffix')), 64)]", "vnetConnectivityRouteTable2DeploymentName": "[take(concat('alz-HubRoute2', variables('deploymentSuffix')), 64)]", "nvaConnectivityHubLite2DeploymentName": "[take(concat('alz-NVAHubLite2', variables('deploymentSuffix')), 64)]", + "avnmLiteConnectivityHubDeploymentName": "[take(concat('alz-AVNMLite', variables('deploymentSuffix')), 64)]", + "avnmLitePolicyDeploymentName": "[take(concat('alz-AVNMLitePolicy', variables('deploymentSuffix')), 64)]", "ddosRgLiteDeploymentName": "[take(concat('alz-DDoSRgLite', variables('deploymentSuffix')), 64)]", "ddosLiteDeploymentName": "[take(concat('alz-DDoSLite', variables('deploymentSuffix')), 64)]", "ddosHubLitePolicyDeploymentName": "[take(concat('alz-DDoSHubPolicyLite', variables('deploymentSuffix')), 64)]", @@ -2487,6 +2489,37 @@ } } }, + { + // ALZ Pre-Requisites and Azure's Untold Story... LITE + "condition": "[not(empty(parameters('singlePlatformSubscriptionId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "alz-prerequisites", + "scope": "[variables('scopes').eslzRootManagementGroup]", + "location": "[deployment().location]", + "dependsOn": [ + "[variables('deploymentNames').initiativeDeploymentName]", + "[variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').preRequisites]" + }, + "parameters": { + "location": { + "value": "[deployment().location]" + }, + "eslzRootName": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "managementSubscriptionId": { + "value": "[parameters('singlePlatformSubscriptionId')]" + } + } + } + }, /* The following deployments will organize the dedicated platform subscriptions into their respective management groups */ @@ -5344,6 +5377,46 @@ } } }, + { + // Deploy AVNM Lite + "condition": "[and(parameters('deployAVNM'), or(equals(parameters('enableHub'), 'vhub'), equals(parameters('enableHub'), 'nva')), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "subscriptionId": "[parameters('singlePlatformSubscriptionId')]", + "name": "[variables('esLiteDeploymentNames').avnmLiteConnectivityHubDeploymentName]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtGroupDeploymentName)]", + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').mgmtGroupLiteDeploymentName)]", + "dnsZones", + "dnsZonesLite", + "alz-prerequisites" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').avnmConnectivityHub]" + }, + "parameters": { + "location": { + "value": "[parameters('connectivityLocation')]" + }, + "locationSecondary": { + "value": "[parameters('connectivityLocationSecondary')]" + }, + "managementGroupScope": { + "value": "[variables('scopes').eslzRootManagementGroup]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('singlePlatformSubscriptionId')]" + }, + "enableSecondaryRegion": { + "value": "[parameters('enableSecondaryRegion')]" + } + } + } + }, { // Deploying AVNM policy - to add virtual networks to AVNM network groups "condition": "[and(parameters('deployAVNM'), or(equals(parameters('enableHub'), 'vhub'), equals(parameters('enableHub'), 'nva')), not(empty(parameters('connectivitySubscriptionId'))))]", @@ -5377,6 +5450,42 @@ } } }, + { + // Deploying AVNM Lite policy - to add virtual networks to AVNM network groups + "condition": "[and(parameters('deployAVNM'), or(equals(parameters('enableHub'), 'vhub'), equals(parameters('enableHub'), 'nva')), not(empty(parameters('singlePlatformSubscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('esLiteDeploymentNames').avnmLitePolicyDeploymentName]", + "location": "[deployment().location]", + "scope": "[variables('scopes').eslzRootManagementGroup]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').avnmLiteConnectivityHubDeploymentName)]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('deploymentUris').avnmPolicy]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('singlePlatformSubscriptionId')]" + }, + "locationSecondary": { + "value": "[parameters('connectivityLocationSecondary')]" + }, + "enableSecondaryRegion": { + "value": "[parameters('enableSecondaryRegion')]" + }, + "dedicatedSubscription": { + "value": false + } + } + } + }, { // Creating resource group for Private DNS Zones "condition": "[and(equals(parameters('enablePrivateDnsZones'), 'Yes'), not(empty(parameters('connectivitySubscriptionId'))))]", diff --git a/eslzArm/subscriptionTemplates/avnmPolicy.json b/eslzArm/subscriptionTemplates/avnmPolicy.json index 597d30b18f..2e12a72326 100644 --- a/eslzArm/subscriptionTemplates/avnmPolicy.json +++ b/eslzArm/subscriptionTemplates/avnmPolicy.json @@ -37,6 +37,13 @@ "description": "Enable secondary region for instances deploying in multiple regions" }, "defaultValue": "No" + }, + "dedicatedSubscription": { + "type": "bool", + "metadata": { + "description": "Dedicated subscriptions selected" + }, + "defaultValue": true } }, "variables": { @@ -206,6 +213,7 @@ ] }, { + "condition": "[parameters('dedicatedSubscription')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "policyCorp", @@ -363,6 +371,7 @@ } }, { + "condition": "[parameters('dedicatedSubscription')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "policyOnline", @@ -520,6 +529,7 @@ } }, { + "condition": "[parameters('dedicatedSubscription')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "policyIdentity", @@ -677,6 +687,7 @@ } }, { + "condition": "[parameters('dedicatedSubscription')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "policyManagement", @@ -834,6 +845,7 @@ } }, { + "condition": "[parameters('dedicatedSubscription')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "policyConnectivity", @@ -991,6 +1003,7 @@ } }, { + "condition": "[parameters('dedicatedSubscription')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "policySandbox", @@ -1148,6 +1161,7 @@ } }, { + "condition": "[parameters('dedicatedSubscription')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "policyDecommissioned", From 5ba2d3af9118b155f118e33733d271e73e606b7d Mon Sep 17 00:00:00 2001 From: Sacha Narinx Date: Fri, 24 Jan 2025 20:42:38 +0400 Subject: [PATCH 18/18] Fixing what was fixed (#1897) --- eslzArm/eslz-portal.json | 54 ++++++++++++++++++++-------------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json index 8db6ce425f..7d86eb72ef 100644 --- a/eslzArm/eslz-portal.json +++ b/eslzArm/eslz-portal.json @@ -5436,7 +5436,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').wlcCMK.enableWsCMKInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').wlcCMK.enableWsCMKInitiatives, 'No'))]", "defaultValue": [ { "value": "contoso-platform" @@ -5543,7 +5543,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').wlcAIReady.enableWsBotServiceInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').wlcAIReady.enableWsBotServiceInitiatives, 'No'))]", "defaultValue": [ { "value": "contoso-platform" @@ -5642,7 +5642,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').wlcAIReady.enableWsCognitiveServicesInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').wlcAIReady.enableWsCognitiveServicesInitiatives, 'No'))]", "defaultValue": [ { "value": "contoso-platform" @@ -5741,7 +5741,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').wlcAIReady.enableWsMachineLearningInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').wlcAIReady.enableWsMachineLearningInitiatives, 'No'))]", "defaultValue": [ { "value": "contoso-platform" @@ -5840,7 +5840,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').wlcAIReady.enableWsOpenAIInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').wlcAIReady.enableWsOpenAIInitiatives, 'No'))]", "defaultValue": [ { "value": "contoso-platform" @@ -5948,7 +5948,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsDataExplorerInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsDataExplorerInitiatives, 'No'))]", "defaultValue": [ { "value": "contoso-platform" @@ -6047,7 +6047,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsDataFactoryInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsDataFactoryInitiatives, 'No'))]", "defaultValue": [ { "value": "contoso-platform" @@ -6146,7 +6146,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsSynapseInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsSynapseInitiatives, 'No'))]", "defaultValue": [ { "value": "contoso-platform" @@ -6251,7 +6251,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsComputeInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsComputeInitiatives, 'No'))]", "defaultValue": [ { "value": "contoso-platform" @@ -6350,7 +6350,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsVirtualDesktopInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsVirtualDesktopInitiatives, 'No'))]", "defaultValue": [ { "value": "contoso-platform" @@ -6455,7 +6455,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsContainerAppsInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsContainerAppsInitiatives, 'No'))]", "defaultValue": [ { "value": "contoso-platform" @@ -6554,7 +6554,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsContainerInstanceInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsContainerInstanceInitiatives, 'No'))]", "defaultValue": [ { "value": "contoso-platform" @@ -6653,7 +6653,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsContainerRegistryInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsContainerRegistryInitiatives, 'No'))]", "defaultValue": [ { "value": "contoso-platform" @@ -6752,7 +6752,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsKubernetesInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsKubernetesInitiatives, 'No'))]", "defaultValue": [ { "value": "contoso-platform" @@ -6857,7 +6857,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsCosmosDbInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsCosmosDbInitiatives, 'No'))]", "defaultValue": [ { "value": "contoso-platform" @@ -6956,7 +6956,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsMySQLInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsMySQLInitiatives, 'No'))]", "defaultValue": [ { "value": "contoso-platform" @@ -7055,7 +7055,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsPostgreSQLInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsPostgreSQLInitiatives, 'No'))]", "defaultValue": [ { "value": "contoso-platform" @@ -7154,7 +7154,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsSQLInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsSQLInitiatives, 'No'))]", "defaultValue": [ { "value": "contoso-platform" @@ -7259,7 +7259,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsEventGridInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsEventGridInitiatives, 'No'))]", "defaultValue": [ { "value": "contoso-platform" @@ -7358,7 +7358,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsEventHubInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsEventHubInitiatives, 'No'))]", "defaultValue": [ { "value": "contoso-platform" @@ -7457,7 +7457,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsServiceBusInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsServiceBusInitiatives, 'No'))]", "defaultValue": [ { "value": "contoso-platform" @@ -7562,7 +7562,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsAutomationInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsAutomationInitiatives, 'No'))]", "defaultValue": [ { "value": "contoso-platform" @@ -7668,7 +7668,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsNetworkInitiatives, 'Yes')]", + "visible": "[and(not(equals(steps('workloadspecific').enableWsNetworkInitiatives, 'No')), equals(steps('connectivity').enableDdoS, 'Yes'))]", "defaultValue": [ { "value": "contoso-platform" @@ -7773,7 +7773,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsKeyVaultSupInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsKeyVaultSupInitiatives, 'No'))]", "defaultValue": [ { "value": "contoso-platform" @@ -7878,7 +7878,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsStorageInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsStorageInitiatives, 'No'))]", "defaultValue": [ { "value": "contoso-platform" @@ -7983,7 +7983,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsAPIMInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsAPIMInitiatives, 'No'))]", "defaultValue": [ { "value": "contoso-platform" @@ -8082,7 +8082,7 @@ "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, - "visible": "[equals(steps('workloadspecific').enableWsAppServicesInitiatives, 'Yes')]", + "visible": "[not(equals(steps('workloadspecific').enableWsAppServicesInitiatives, 'No'))]", "defaultValue": [ { "value": "contoso-platform"