diff --git a/.azuredevops/templates/template-stage-policy-tests.yml b/.azuredevops/templates/template-stage-policy-tests.yml index 2fc333e..bf842e6 100644 --- a/.azuredevops/templates/template-stage-policy-tests.yml +++ b/.azuredevops/templates/template-stage-policy-tests.yml @@ -62,7 +62,7 @@ stages: - template: ./template-task-install-ps-modules.yml parameters: displayName: "Install AzPolicyTest Module" - moduleNames: "AzPolicyTest`@2.8.2" + moduleNames: "AzPolicyTest`@3.1.1" shouldInstall: ${{ or(eq(parameters.runPolicyJsonPesterTests, true), eq(parameters.runPolicyInitiativePesterTests, true), eq(parameters.runPolicyDefinitionPesterTests, true)) }} - pwsh: | diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml index 2740ee1..09c86ae 100644 --- a/.github/ISSUE_TEMPLATE/config.yml +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -1,5 +1,5 @@ blank_issues_enabled: false contact_links: - name: Documentation - url: https://github.com/AzPolicyFactory/AzPolicyFactory/tree/main/docs + url: https://github.com/Azure/AzPolicyFactory/tree/main/docs about: Check the documentation before opening an issue diff --git a/.github/actions/templates/test-policy-def/action.yml b/.github/actions/templates/test-policy-def/action.yml index e6cef55..445b6f9 100644 --- a/.github/actions/templates/test-policy-def/action.yml +++ b/.github/actions/templates/test-policy-def/action.yml @@ -1,5 +1,6 @@ name: "Policy Definition Pester Tests" -description: "Runs Pester tests for Azure Policy Definitions, Initiatives, and JSON content using the AzPolicyTest module" +description: "Runs Pester tests for Azure Policy Definitions, Initiatives, and + JSON content using the AzPolicyTest module" author: "Tao Yang" inputs: @@ -41,7 +42,9 @@ runs: using: "composite" steps: - name: Install AzPolicyTest Module - if: inputs.run-policy-json-pester-tests == 'true' || inputs.run-policy-initiative-pester-tests == 'true' || inputs.run-policy-definition-pester-tests == 'true' + if: inputs.run-policy-json-pester-tests == 'true' || + inputs.run-policy-initiative-pester-tests == 'true' || + inputs.run-policy-definition-pester-tests == 'true' shell: pwsh env: INPUT_WORKSPACE_DIRECTORY: ${{ github.workspace }} @@ -50,7 +53,7 @@ runs: Write-Output '::group::Install AzPolicyTest Module' $scriptPath = "$env:INPUT_WORKSPACE_DIRECTORY/scripts/pipelines/pipeline-install-moduleFromRepo.ps1" & $scriptPath ` - -modules 'AzPolicyTest@2.8.2' ` + -modules 'AzPolicyTest@3.1.1' ` -repoName 'PSGallery' ` -maxRetry 3 ` -allowPrerelease 'false' diff --git a/.github/workflows/policy-initiatives.yml b/.github/workflows/policy-initiatives.yml index 25e70be..e5aa5a6 100644 --- a/.github/workflows/policy-initiatives.yml +++ b/.github/workflows/policy-initiatives.yml @@ -1,7 +1,8 @@ name: policy-initiatives on: - workflow_dispatch: # allows a manual run from the UI + workflow_dispatch: + # allows a manual run from the UI inputs: debug: description: "Enable debug logging" @@ -28,7 +29,9 @@ jobs: job_call_initiation: name: Initiation runs-on: ubuntu-latest - if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }} + if: + ${{ github.event.workflow_run.conclusion == 'success' || github.event_name + == 'workflow_dispatch' }} steps: - name: "Checkout" uses: actions/checkout@v6 @@ -79,7 +82,7 @@ jobs: definition-file-path: "${{env.definitionFileDirectory}}" template-file-directory: "${{env.templateFileDirectory}}" bicep-file-path: "${{env.templateFileDirectory}}/${{env.templateFileName}}" - bicep-variable-name: "policyInitiatives" + bicep-variable-name: "policySetDefinitions" build-artifact-name: "policy_set_bicep_dev" job_build_prod: @@ -100,7 +103,7 @@ jobs: definition-file-path: "${{env.definitionFileDirectory}}" template-file-directory: "${{env.templateFileDirectory}}" bicep-file-path: "${{env.templateFileDirectory}}/${{env.templateFileName}}" - bicep-variable-name: "policyInitiatives" + bicep-variable-name: "policySetDefinitions" build-artifact-name: "policy_set_bicep_prod" job_test_dev: diff --git a/.gitignore b/.gitignore index e2ffc5d..a909caa 100644 --- a/.gitignore +++ b/.gitignore @@ -418,4 +418,6 @@ FodyWeavers.xsd *.msp #Mac -.DS_Store \ No newline at end of file +.DS_Store +.github/workflows/package.json +.github/workflows/package-lock.json diff --git a/.vscode/settings.json b/.vscode/settings.json index fb1adf3..b1b3fbe 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -54,5 +54,6 @@ "unauthorized", "vnet", "whatif" - ] + ], + "sarif-viewer.connectToGithubCodeScanning": "off" } diff --git a/bicep/modules/authorization/policy-assignment/management-group/main.bicep b/bicep/modules/authorization/policy-assignment/management-group/main.bicep index 60f14af..53e1dc9 100644 --- a/bicep/modules/authorization/policy-assignment/management-group/main.bicep +++ b/bicep/modules/authorization/policy-assignment/management-group/main.bicep @@ -32,7 +32,7 @@ var identityVar = policyAssignment.?identity == 'SystemAssigned' } : null -resource assignment 'Microsoft.Authorization/policyAssignments@2025-03-01' = { +resource assignment 'Microsoft.Authorization/policyAssignments@2025-12-01-preview' = { name: policyAssignment.name location: location properties: { diff --git a/bicep/modules/authorization/policy-assignment/management-group/version.json b/bicep/modules/authorization/policy-assignment/management-group/version.json index 733a20f..941b8d8 100644 --- a/bicep/modules/authorization/policy-assignment/management-group/version.json +++ b/bicep/modules/authorization/policy-assignment/management-group/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "3.0.0", + "version": "3.1.0", "pathFilters": [ "./main.json" ] diff --git a/bicep/modules/authorization/policy-assignment/resource-group/main.bicep b/bicep/modules/authorization/policy-assignment/resource-group/main.bicep index 63b2225..9598849 100644 --- a/bicep/modules/authorization/policy-assignment/resource-group/main.bicep +++ b/bicep/modules/authorization/policy-assignment/resource-group/main.bicep @@ -35,7 +35,7 @@ var identityVar = policyAssignment.?identity == 'SystemAssigned' } : null -resource assignment 'Microsoft.Authorization/policyAssignments@2025-03-01' = { +resource assignment 'Microsoft.Authorization/policyAssignments@2025-12-01-preview' = { name: policyAssignment.name location: location properties: { diff --git a/bicep/modules/authorization/policy-assignment/resource-group/version.json b/bicep/modules/authorization/policy-assignment/resource-group/version.json index 733a20f..941b8d8 100644 --- a/bicep/modules/authorization/policy-assignment/resource-group/version.json +++ b/bicep/modules/authorization/policy-assignment/resource-group/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "3.0.0", + "version": "3.1.0", "pathFilters": [ "./main.json" ] diff --git a/bicep/modules/authorization/policy-assignment/subscription/main.bicep b/bicep/modules/authorization/policy-assignment/subscription/main.bicep index 7a6e704..5b315d3 100644 --- a/bicep/modules/authorization/policy-assignment/subscription/main.bicep +++ b/bicep/modules/authorization/policy-assignment/subscription/main.bicep @@ -31,7 +31,7 @@ var identityVar = policyAssignment.?identity == 'SystemAssigned' } : null -resource assignment 'Microsoft.Authorization/policyAssignments@2025-03-01' = { +resource assignment 'Microsoft.Authorization/policyAssignments@2025-12-01-preview' = { name: policyAssignment.name location: location properties: { diff --git a/bicep/modules/authorization/policy-assignment/subscription/version.json b/bicep/modules/authorization/policy-assignment/subscription/version.json index 733a20f..941b8d8 100644 --- a/bicep/modules/authorization/policy-assignment/subscription/version.json +++ b/bicep/modules/authorization/policy-assignment/subscription/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "3.0.0", + "version": "3.1.0", "pathFilters": [ "./main.json" ] diff --git a/bicep/modules/authorization/policy-assignment/version.json b/bicep/modules/authorization/policy-assignment/version.json index 84ae65e..37bba59 100644 --- a/bicep/modules/authorization/policy-assignment/version.json +++ b/bicep/modules/authorization/policy-assignment/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "3.0.0", + "version": "3.1.0", "pathFilters": [ "./main.json" ] diff --git a/bicep/modules/authorization/policy-definition/management-group/main.bicep b/bicep/modules/authorization/policy-definition/management-group/main.bicep index b37653e..53291bd 100755 --- a/bicep/modules/authorization/policy-definition/management-group/main.bicep +++ b/bicep/modules/authorization/policy-definition/management-group/main.bicep @@ -16,7 +16,7 @@ var additionalMetadata = { } @batchSize(15) -resource policies 'Microsoft.Authorization/policyDefinitions@2025-03-01' = [ +resource policies 'Microsoft.Authorization/policyDefinitions@2025-12-01-preview' = [ for policyDefinition in policyDefinitions: { name: policyDefinition.name properties: { diff --git a/bicep/modules/authorization/policy-definition/management-group/version.json b/bicep/modules/authorization/policy-definition/management-group/version.json index 84ae65e..37bba59 100755 --- a/bicep/modules/authorization/policy-definition/management-group/version.json +++ b/bicep/modules/authorization/policy-definition/management-group/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "3.0.0", + "version": "3.1.0", "pathFilters": [ "./main.json" ] diff --git a/bicep/modules/authorization/policy-definition/subscription/main.bicep b/bicep/modules/authorization/policy-definition/subscription/main.bicep index 061f787..5f79426 100755 --- a/bicep/modules/authorization/policy-definition/subscription/main.bicep +++ b/bicep/modules/authorization/policy-definition/subscription/main.bicep @@ -17,7 +17,7 @@ var additionalMetadata = { } @batchSize(15) -resource policies 'Microsoft.Authorization/policyDefinitions@2025-03-01' = [ +resource policies 'Microsoft.Authorization/policyDefinitions@2025-12-01-preview' = [ for policyDefinition in policyDefinitions: { name: policyDefinition.name properties: { diff --git a/bicep/modules/authorization/policy-definition/subscription/version.json b/bicep/modules/authorization/policy-definition/subscription/version.json index 84ae65e..37bba59 100755 --- a/bicep/modules/authorization/policy-definition/subscription/version.json +++ b/bicep/modules/authorization/policy-definition/subscription/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "3.0.0", + "version": "3.1.0", "pathFilters": [ "./main.json" ] diff --git a/bicep/modules/authorization/policy-definition/version.json b/bicep/modules/authorization/policy-definition/version.json index 733a20f..941b8d8 100755 --- a/bicep/modules/authorization/policy-definition/version.json +++ b/bicep/modules/authorization/policy-definition/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "3.0.0", + "version": "3.1.0", "pathFilters": [ "./main.json" ] diff --git a/bicep/modules/authorization/policy-exemption/management-group/main.bicep b/bicep/modules/authorization/policy-exemption/management-group/main.bicep index 7201f60..d12b595 100644 --- a/bicep/modules/authorization/policy-exemption/management-group/main.bicep +++ b/bicep/modules/authorization/policy-exemption/management-group/main.bicep @@ -13,7 +13,7 @@ var additionalMetadata = union(policyExemption.?metadata ?? {}, { hidden_vml_version: loadJsonContent('./version.json').version }) -resource exemption 'Microsoft.Authorization/policyExemptions@2024-12-01-preview' = { +resource exemption 'Microsoft.Authorization/policyExemptions@2025-12-01-preview' = { name: policyExemption.name properties: { displayName: policyExemption.?displayName diff --git a/bicep/modules/authorization/policy-exemption/management-group/version.json b/bicep/modules/authorization/policy-exemption/management-group/version.json index df8ea65..179b0b5 100644 --- a/bicep/modules/authorization/policy-exemption/management-group/version.json +++ b/bicep/modules/authorization/policy-exemption/management-group/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.1", + "version": "3.1.0", "pathFilters": [ "./main.json" ] diff --git a/bicep/modules/authorization/policy-exemption/resource-group/main.bicep b/bicep/modules/authorization/policy-exemption/resource-group/main.bicep index 81106d6..7b9d09b 100644 --- a/bicep/modules/authorization/policy-exemption/resource-group/main.bicep +++ b/bicep/modules/authorization/policy-exemption/resource-group/main.bicep @@ -13,7 +13,7 @@ var additionalMetadata = union(policyExemption.?metadata ?? {}, { hidden_vml_version: loadJsonContent('./version.json').version }) -resource exemption 'Microsoft.Authorization/policyExemptions@2024-12-01-preview' = { +resource exemption 'Microsoft.Authorization/policyExemptions@2025-12-01-preview' = { name: policyExemption.name properties: { displayName: policyExemption.?displayName diff --git a/bicep/modules/authorization/policy-exemption/resource-group/version.json b/bicep/modules/authorization/policy-exemption/resource-group/version.json index df8ea65..179b0b5 100644 --- a/bicep/modules/authorization/policy-exemption/resource-group/version.json +++ b/bicep/modules/authorization/policy-exemption/resource-group/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.1", + "version": "3.1.0", "pathFilters": [ "./main.json" ] diff --git a/bicep/modules/authorization/policy-exemption/subscription/main.bicep b/bicep/modules/authorization/policy-exemption/subscription/main.bicep index d7bb9f0..6df61d2 100644 --- a/bicep/modules/authorization/policy-exemption/subscription/main.bicep +++ b/bicep/modules/authorization/policy-exemption/subscription/main.bicep @@ -13,7 +13,7 @@ var additionalMetadata = union(policyExemption.?metadata ?? {}, { hidden_vml_version: loadJsonContent('./version.json').version }) -resource exemption 'Microsoft.Authorization/policyExemptions@2024-12-01-preview' = { +resource exemption 'Microsoft.Authorization/policyExemptions@2025-12-01-preview' = { name: policyExemption.name properties: { displayName: policyExemption.?displayName diff --git a/bicep/modules/authorization/policy-exemption/subscription/version.json b/bicep/modules/authorization/policy-exemption/subscription/version.json index df8ea65..179b0b5 100644 --- a/bicep/modules/authorization/policy-exemption/subscription/version.json +++ b/bicep/modules/authorization/policy-exemption/subscription/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.1", + "version": "3.1.0", "pathFilters": [ "./main.json" ] diff --git a/bicep/modules/authorization/policy-exemption/version.json b/bicep/modules/authorization/policy-exemption/version.json index 79ac594..941b8d8 100644 --- a/bicep/modules/authorization/policy-exemption/version.json +++ b/bicep/modules/authorization/policy-exemption/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "1.0.0", + "version": "3.1.0", "pathFilters": [ "./main.json" ] diff --git a/bicep/modules/authorization/policy-set-definition/management-group/main.bicep b/bicep/modules/authorization/policy-set-definition/management-group/main.bicep index e07c63b..1c9afd4 100644 --- a/bicep/modules/authorization/policy-set-definition/management-group/main.bicep +++ b/bicep/modules/authorization/policy-set-definition/management-group/main.bicep @@ -16,7 +16,7 @@ var additionalMetadata = { } @batchSize(15) -resource policySets 'Microsoft.Authorization/policySetDefinitions@2025-03-01' = [ +resource policySets 'Microsoft.Authorization/policySetDefinitions@2025-12-01-preview' = [ for policySetDefinition in policySetDefinitions: { name: policySetDefinition.name properties: { diff --git a/bicep/modules/authorization/policy-set-definition/management-group/version.json b/bicep/modules/authorization/policy-set-definition/management-group/version.json index 733a20f..941b8d8 100644 --- a/bicep/modules/authorization/policy-set-definition/management-group/version.json +++ b/bicep/modules/authorization/policy-set-definition/management-group/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "3.0.0", + "version": "3.1.0", "pathFilters": [ "./main.json" ] diff --git a/bicep/modules/authorization/policy-set-definition/subscription/main.bicep b/bicep/modules/authorization/policy-set-definition/subscription/main.bicep index b3aee94..0f327db 100644 --- a/bicep/modules/authorization/policy-set-definition/subscription/main.bicep +++ b/bicep/modules/authorization/policy-set-definition/subscription/main.bicep @@ -16,7 +16,7 @@ var additionalMetadata = { } @batchSize(15) -resource policySets 'Microsoft.Authorization/policySetDefinitions@2025-03-01' = [ +resource policySets 'Microsoft.Authorization/policySetDefinitions@2025-12-01-preview' = [ for policySetDefinition in policySetDefinitions: { name: policySetDefinition.name properties: { diff --git a/bicep/modules/authorization/policy-set-definition/subscription/version.json b/bicep/modules/authorization/policy-set-definition/subscription/version.json index 733a20f..941b8d8 100755 --- a/bicep/modules/authorization/policy-set-definition/subscription/version.json +++ b/bicep/modules/authorization/policy-set-definition/subscription/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "3.0.0", + "version": "3.1.0", "pathFilters": [ "./main.json" ] diff --git a/bicep/modules/authorization/policy-set-definition/version.json b/bicep/modules/authorization/policy-set-definition/version.json index 733a20f..941b8d8 100755 --- a/bicep/modules/authorization/policy-set-definition/version.json +++ b/bicep/modules/authorization/policy-set-definition/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "3.0.0", + "version": "3.1.0", "pathFilters": [ "./main.json" ] diff --git a/bicep/templates/policyInitiatives/main.bicep b/bicep/templates/policyInitiatives/main.bicep index af37a45..c94ee91 100644 --- a/bicep/templates/policyInitiatives/main.bicep +++ b/bicep/templates/policyInitiatives/main.bicep @@ -27,6 +27,7 @@ var mappedPolicySetDefinitions = map(range(0, length(policySetDefinitions)), i = '{policyLocationResourceId}', managementGroupId ) + definitionVersion: policySetDefinitions[i].properties.policyDefinitions[c].?definitionVersion parameters: policySetDefinitions[i].properties.policyDefinitions[c].?parameters groupNames: policySetDefinitions[i].properties.policyDefinitions[c].?groupNames }) diff --git a/policyAssignments/dev/pa-d-cog-service.json b/policyAssignments/dev/pa-d-cog-service.json new file mode 100644 index 0000000..5a44d1a --- /dev/null +++ b/policyAssignments/dev/pa-d-cog-service.json @@ -0,0 +1,61 @@ +{ + "$schema": "../policyAssignment.schema.json", + "policyAssignment": { + "name": "pa-d-cog-service", + "displayName": "Azure Cognitive Services Policies Dev", + "description": "Policy Assignment for Azure Cognitive Services - Dev", + "metadata": { + "category": "Azure Cognitive Services" + }, + "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policySetDefinitions/polset-cognitive-service", + "identity": "SystemAssigned", + "parameters": { + "COG-001_Effect": { + "value": "Modify" + }, + "COG-002_Effect": { + "value": "Deny" + }, + "COG-003_Effect": { + "value": "Deny" + }, + "COG-004_Effect": { + "value": "Audit" + }, + "COG-005_Effect": { + "value": "Deny" + }, + "COG-005_listOfAllowedFormats": { + "value": [ + "xAI", + "OpenAI" + ] + }, + "COG-006_Effect": { + "value": "Deny" + }, + "COG-006_listOfAllowedNames": { + "value": [ + "gpt-4.1", + "gpt-5.4", + "gpt-5.3-codex" + ] + }, + "COG-007_Effect": { + "value": "Deny" + }, + "COG-007_listOfAllowedNames": { + "value": [ + "grok-4", + "grok-4-1-fast-reasoning" + ] + } + }, + "nonComplianceMessages": [], + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ] + }, + "definitionSourceManagementGroupId": "/providers/Microsoft.Management/managementGroups/CONTOSO-DEV", + "managementGroupId": "CONTOSO-DEV" +} diff --git a/policyAssignments/dev/pa-d-cosmos.json b/policyAssignments/dev/pa-d-cosmos.json new file mode 100644 index 0000000..1b3f013 --- /dev/null +++ b/policyAssignments/dev/pa-d-cosmos.json @@ -0,0 +1,51 @@ +{ + "$schema": "../policyAssignment.schema.json", + "policyAssignment": { + "name": "pa-d-cosmos", + "displayName": "Azure Cosmos DB Policies Dev", + "description": "Policy Assignment for Azure Cosmos DB - Dev", + "metadata": { + "category": "Azure Cosmos DB" + }, + "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policySetDefinitions/polset-cosmos-db", + "identity": "SystemAssigned", + "parameters": { + "COSMOS-001_Effect": { + "value": "Modify" + }, + "COSMOS-002_Effect": { + "value": "Deny" + }, + "COSMOS-003_Effect": { + "value": "Deny" + }, + "COSMOS-004_Effect": { + "value": "Audit" + }, + "COSMOS-005_Effect": { + "value": "Deny" + }, + "COSMOS-006_Effect": { + "value": "Deny" + }, + "COSMOS-006_minimalTlsVersion": { + "value": "Tls12" + }, + "COSMOS-007_Effect": { + "value": "Deny" + }, + "COSMOS-007_listOfAllowedLocations": { + "value": [ + "australiaeast", + "australiasoutheast" + ] + } + }, + "nonComplianceMessages": [], + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450" + ] + }, + "definitionSourceManagementGroupId": "/providers/Microsoft.Management/managementGroups/CONTOSO-DEV", + "managementGroupId": "CONTOSO-DEV" +} diff --git a/policyAssignments/dev/pa-d-diag-settings.json b/policyAssignments/dev/pa-d-diag-settings.json index 2ff7317..4b8be20 100644 --- a/policyAssignments/dev/pa-d-diag-settings.json +++ b/policyAssignments/dev/pa-d-diag-settings.json @@ -11,7 +11,7 @@ }, "parameters": { "profileName": { - "value": "setByPolicyLAW" + "value": "setByPolicy" }, "evaluationDelay": { "value": "AfterProvisioning" @@ -43,6 +43,12 @@ "DS-008_Effect": { "value": "DeployIfNotExists" }, + "DS-008_LogsToEnable": { + "value": [ + "AppSystemEvents", + "OTelResources" + ] + }, "DS-009_Effect": { "value": "DeployIfNotExists" }, @@ -204,6 +210,9 @@ }, "DS-062_Effect": { "value": "DeployIfNotExists" + }, + "DS-063_Effect": { + "value": "DeployIfNotExists" } }, "roleDefinitionIds": [ diff --git a/policyAssignments/dev/pa-d-pedns.json b/policyAssignments/dev/pa-d-pedns.json index 2b8f31f..bf5cc93 100644 --- a/policyAssignments/dev/pa-d-pedns.json +++ b/policyAssignments/dev/pa-d-pedns.json @@ -55,6 +55,12 @@ "PEDNS-015_Effect": { "value": "DeployIfNotExists" }, + "PEDNS-016_Effect": { + "value": "DeployIfNotExists" + }, + "PEDNS-017_Effect": { + "value": "DeployIfNotExists" + }, "evaluationDelay": { "value": "AfterProvisioning" }, diff --git a/policyAssignments/prod/pa-p-cog-service.json b/policyAssignments/prod/pa-p-cog-service.json new file mode 100644 index 0000000..9692e7b --- /dev/null +++ b/policyAssignments/prod/pa-p-cog-service.json @@ -0,0 +1,61 @@ +{ + "$schema": "../policyAssignment.schema.json", + "policyAssignment": { + "name": "pa-p-cog-service", + "displayName": "Azure Cognitive Services Policies Prod", + "description": "Policy Assignment for Azure Cognitive Services - Prod", + "metadata": { + "category": "Azure Cognitive Services" + }, + "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policySetDefinitions/polset-cognitive-service", + "identity": "SystemAssigned", + "parameters": { + "COG-001_Effect": { + "value": "Modify" + }, + "COG-002_Effect": { + "value": "Deny" + }, + "COG-003_Effect": { + "value": "Deny" + }, + "COG-004_Effect": { + "value": "Audit" + }, + "COG-005_Effect": { + "value": "Deny" + }, + "COG-005_listOfAllowedFormats": { + "value": [ + "xAI", + "OpenAI" + ] + }, + "COG-006_Effect": { + "value": "Deny" + }, + "COG-006_listOfAllowedNames": { + "value": [ + "gpt-4.1", + "gpt-5.4", + "gpt-5.3-codex" + ] + }, + "COG-007_Effect": { + "value": "Deny" + }, + "COG-007_listOfAllowedNames": { + "value": [ + "grok-4", + "grok-4-1-fast-reasoning" + ] + } + }, + "nonComplianceMessages": [], + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ] + }, + "definitionSourceManagementGroupId": "/providers/Microsoft.Management/managementGroups/CONTOSO", + "managementGroupId": "CONTOSO" +} diff --git a/policyAssignments/prod/pa-p-cosmos.json b/policyAssignments/prod/pa-p-cosmos.json new file mode 100644 index 0000000..c88b59e --- /dev/null +++ b/policyAssignments/prod/pa-p-cosmos.json @@ -0,0 +1,51 @@ +{ + "$schema": "../policyAssignment.schema.json", + "policyAssignment": { + "name": "pa-p-cosmos", + "displayName": "Azure Cosmos DB Policies Prod", + "description": "Policy Assignment for Azure Cosmos DB - Prod", + "metadata": { + "category": "Azure Cosmos DB" + }, + "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policySetDefinitions/polset-cosmos-db", + "identity": "SystemAssigned", + "parameters": { + "COSMOS-001_Effect": { + "value": "Modify" + }, + "COSMOS-002_Effect": { + "value": "Deny" + }, + "COSMOS-003_Effect": { + "value": "Deny" + }, + "COSMOS-004_Effect": { + "value": "Audit" + }, + "COSMOS-005_Effect": { + "value": "Deny" + }, + "COSMOS-006_Effect": { + "value": "Deny" + }, + "COSMOS-006_minimalTlsVersion": { + "value": "Tls12" + }, + "COSMOS-007_Effect": { + "value": "Deny" + }, + "COSMOS-007_listOfAllowedLocations": { + "value": [ + "australiaeast", + "australiasoutheast" + ] + } + }, + "nonComplianceMessages": [], + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450" + ] + }, + "definitionSourceManagementGroupId": "/providers/Microsoft.Management/managementGroups/CONTOSO", + "managementGroupId": "CONTOSO" +} diff --git a/policyAssignments/prod/pa-p-diag-settings.json b/policyAssignments/prod/pa-p-diag-settings.json index 1880dc6..b785913 100644 --- a/policyAssignments/prod/pa-p-diag-settings.json +++ b/policyAssignments/prod/pa-p-diag-settings.json @@ -11,7 +11,7 @@ "identity": "SystemAssigned", "parameters": { "profileName": { - "value": "setByPolicyLAW" + "value": "setByPolicy" }, "evaluationDelay": { "value": "AfterProvisioning" @@ -43,6 +43,12 @@ "DS-008_Effect": { "value": "DeployIfNotExists" }, + "DS-008_LogsToEnable": { + "value": [ + "AppSystemEvents", + "OTelResources" + ] + }, "DS-009_Effect": { "value": "DeployIfNotExists" }, @@ -204,6 +210,9 @@ }, "DS-062_Effect": { "value": "DeployIfNotExists" + }, + "DS-063_Effect": { + "value": "DeployIfNotExists" } }, "roleDefinitionIds": [ diff --git a/policyAssignments/prod/pa-p-pedns.json b/policyAssignments/prod/pa-p-pedns.json index 7933d6c..728870a 100644 --- a/policyAssignments/prod/pa-p-pedns.json +++ b/policyAssignments/prod/pa-p-pedns.json @@ -55,6 +55,12 @@ "PEDNS-015_Effect": { "value": "DeployIfNotExists" }, + "PEDNS-016_Effect": { + "value": "DeployIfNotExists" + }, + "PEDNS-017_Effect": { + "value": "DeployIfNotExists" + }, "evaluationDelay": { "value": "AfterProvisioning" }, diff --git a/policyDefinitions/azure-sql/pol-audit-deny-sql-server-aad-auth.json b/policyDefinitions/azure-sql/pol-audit-deny-sql-server-aad-auth.json index 25423da..afdfbc0 100644 --- a/policyDefinitions/azure-sql/pol-audit-deny-sql-server-aad-auth.json +++ b/policyDefinitions/azure-sql/pol-audit-deny-sql-server-aad-auth.json @@ -4,7 +4,7 @@ "displayName": "Azure SQL Database should have Azure Active Directory Only Authentication enabled", "description": "Disabling local authentication methods and allowing only Azure Active Directory Authentication improves security by ensuring that Azure SQL Databases can exclusively be accessed by Azure Active Directory identities. Learn more at: aka.ms/adonlycreate.", "metadata": { - "category": "Network Security", + "category": "Azure SQL", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/azure-sql/pol-audit-deny-sql-server-public-endpoint.json b/policyDefinitions/azure-sql/pol-audit-deny-sql-server-public-endpoint.json index 8c8d475..c6e4f3c 100644 --- a/policyDefinitions/azure-sql/pol-audit-deny-sql-server-public-endpoint.json +++ b/policyDefinitions/azure-sql/pol-audit-deny-sql-server-public-endpoint.json @@ -4,7 +4,7 @@ "displayName": "Public network access on Azure SQL Database should be disabled", "description": "Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules.", "metadata": { - "category": "Network Security", + "category": "Azure SQL", "version": "1.1.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/azure-sql/pol-audit-deny-sql-server-tls-version.json b/policyDefinitions/azure-sql/pol-audit-deny-sql-server-tls-version.json index c351897..0fc835d 100644 --- a/policyDefinitions/azure-sql/pol-audit-deny-sql-server-tls-version.json +++ b/policyDefinitions/azure-sql/pol-audit-deny-sql-server-tls-version.json @@ -4,7 +4,7 @@ "displayName": "Azure SQL Database should be running TLS version 1.2 or newer", "description": "Setting TLS version to 1.2 or newer improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.", "metadata": { - "category": "Application and Database security", + "category": "Azure SQL", "version": "2.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/azure-sql/pol-audit-sql-advanced-data-security.json b/policyDefinitions/azure-sql/pol-audit-sql-advanced-data-security.json index 61647ae..f059533 100644 --- a/policyDefinitions/azure-sql/pol-audit-sql-advanced-data-security.json +++ b/policyDefinitions/azure-sql/pol-audit-sql-advanced-data-security.json @@ -4,7 +4,7 @@ "displayName": "Azure Defender for SQL should be enabled for unprotected Azure SQL servers", "description": "Audit SQL servers without Advanced Data Security", "metadata": { - "category": "Application and Database security", + "category": "Azure SQL", "version": "2.0.1", "preview": false, "deprecated": false, diff --git a/policyDefinitions/azure-sql/pol-audit-sql-server-private-endpoint.json b/policyDefinitions/azure-sql/pol-audit-sql-server-private-endpoint.json index 4eae95f..485d015 100644 --- a/policyDefinitions/azure-sql/pol-audit-sql-server-private-endpoint.json +++ b/policyDefinitions/azure-sql/pol-audit-sql-server-private-endpoint.json @@ -4,7 +4,7 @@ "displayName": "Private endpoint connections on Azure SQL Database should be enabled", "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.", "metadata": { - "category": "Network security", + "category": "Azure SQL", "version": "1.1.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/azure-sql/pol-audit-sql-vuln-assessment.json b/policyDefinitions/azure-sql/pol-audit-sql-vuln-assessment.json index a0b69a8..81fa169 100644 --- a/policyDefinitions/azure-sql/pol-audit-sql-vuln-assessment.json +++ b/policyDefinitions/azure-sql/pol-audit-sql-vuln-assessment.json @@ -4,7 +4,7 @@ "displayName": "Vulnerability assessment should be enabled on your SQL servers", "description": "Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.", "metadata": { - "category": "Application and Database security", + "category": "Azure SQL", "version": "2.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/azure-sql/pol-deploy-sql-database-auditing-settings.json b/policyDefinitions/azure-sql/pol-deploy-sql-database-auditing-settings.json index 6830be5..873fdbb 100644 --- a/policyDefinitions/azure-sql/pol-deploy-sql-database-auditing-settings.json +++ b/policyDefinitions/azure-sql/pol-deploy-sql-database-auditing-settings.json @@ -4,7 +4,7 @@ "displayName": "Deploy SQL database auditing settings", "description": "Deploy auditing settings to SQL Database when it not exist in the deployment.", "metadata": { - "category": "Application and Database security", + "category": "Azure SQL", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/azure-sql/pol-deploy-sql-tde.json b/policyDefinitions/azure-sql/pol-deploy-sql-tde.json index 18dd831..eaa780d 100644 --- a/policyDefinitions/azure-sql/pol-deploy-sql-tde.json +++ b/policyDefinitions/azure-sql/pol-deploy-sql-tde.json @@ -4,7 +4,7 @@ "displayName": "Deploy SQL Database Transparent Data Encryption", "description": "Deploy the Transparent Data Encryption when it is not enabled in the deployment.", "metadata": { - "category": "Application and Database security", + "category": "Azure SQL", "version": "2.1.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/cognitive-service/pol-restrict-cog-local-auth.json b/policyDefinitions/cognitive-service/pol-restrict-cog-local-auth.json new file mode 100644 index 0000000..5ad76d0 --- /dev/null +++ b/policyDefinitions/cognitive-service/pol-restrict-cog-local-auth.json @@ -0,0 +1,46 @@ +{ + "name": "pol-restrict-cog-local-auth", + "properties": { + "displayName": "Cognitive Services accounts should have local authentication methods disabled", + "description": "Disable local authentication methods so that your Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth.", + "metadata": { + "category": "Cognitive Services", + "version": "1.0.0", + "preview": false, + "deprecated": false + }, + "mode": "Indexed", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts" + }, + { + "field": "Microsoft.CognitiveServices/accounts/disableLocalAuth", + "notEquals": true + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} diff --git a/policyDefinitions/cognitive-service/pol-restrict-cog-model-formats.json b/policyDefinitions/cognitive-service/pol-restrict-cog-model-formats.json new file mode 100644 index 0000000..0c2ca5e --- /dev/null +++ b/policyDefinitions/cognitive-service/pol-restrict-cog-model-formats.json @@ -0,0 +1,56 @@ +{ + "name": "pol-restrict-cog-model-formats", + "properties": { + "displayName": "Cognitive Services accounts should only allow permitted model formats", + "description": "This policy ensures that Cognitive Services accounts only allow model formats that are explicitly permitted.", + "metadata": { + "category": "Cognitive Services", + "version": "1.0.0", + "preview": false, + "deprecated": false + }, + "mode": "All", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "listOfAllowedFormats": { + "type": "Array", + "metadata": { + "description": "The list of Open AI model formats that are allowed.", + "displayName": "Allowed model formats" + }, + "defaultValue": [] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts/deployments" + }, + { + "not": { + "field": "Microsoft.CognitiveServices/accounts/deployments/model.format", + "in": "[parameters('listOfAllowedFormats')]" + } + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} diff --git a/policyDefinitions/cognitive-service/pol-restrict-cog-model-names.json b/policyDefinitions/cognitive-service/pol-restrict-cog-model-names.json new file mode 100644 index 0000000..b60da85 --- /dev/null +++ b/policyDefinitions/cognitive-service/pol-restrict-cog-model-names.json @@ -0,0 +1,66 @@ +{ + "name": "pol-restrict-cog-model-names", + "properties": { + "displayName": "Cognitive Services accounts should only allow permitted model names", + "description": "This policy ensures that Cognitive Services accounts only allow model names that are explicitly permitted.", + "metadata": { + "category": "Cognitive Services", + "version": "1.0.0", + "preview": false, + "deprecated": false + }, + "mode": "All", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "modelFormat": { + "type": "string", + "metadata": { + "description": "The model format that is allowed.", + "displayName": "the format of the model" + } + }, + "listOfAllowedNames": { + "type": "Array", + "metadata": { + "description": "The list of Open AI model names that are allowed.", + "displayName": "Allowed model names" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts/deployments" + }, + { + "field": "Microsoft.CognitiveServices/accounts/deployments/model.format", + "equals": "[parameters('modelFormat')]" + }, + { + "not": { + "field": "Microsoft.CognitiveServices/accounts/deployments/model.name", + "in": "[parameters('listOfAllowedNames')]" + } + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} diff --git a/policyDefinitions/cognitive-service/pol-restrict-cog-public-network-access.json b/policyDefinitions/cognitive-service/pol-restrict-cog-public-network-access.json new file mode 100644 index 0000000..76c20ef --- /dev/null +++ b/policyDefinitions/cognitive-service/pol-restrict-cog-public-network-access.json @@ -0,0 +1,55 @@ +{ + "name": "pol-restrict-cog-public-network-access", + "properties": { + "displayName": "Cognitive Services accounts should restrict public network access", + "description": "Disabling public network access improves security by ensuring that your Cognitive Services account isn't exposed on the public internet", + "metadata": { + "category": "Cognitive Services", + "version": "1.0.0", + "preview": false, + "deprecated": false + }, + "mode": "Indexed", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts" + }, + { + "anyOf": [ + { + "field": "Microsoft.CognitiveServices/accounts/publicNetworkAccess", + "notEquals": "Disabled" + }, + { + "field": "Microsoft.CognitiveServices/accounts/networkAcls.defaultAction", + "notEquals": "Deny" + } + ] + } + + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} diff --git a/policyDefinitions/container-registry/pol-audit-acr-disable-public-network-access.json b/policyDefinitions/container-registry/pol-audit-acr-disable-public-network-access.json index 67adb37..3141cde 100644 --- a/policyDefinitions/container-registry/pol-audit-acr-disable-public-network-access.json +++ b/policyDefinitions/container-registry/pol-audit-acr-disable-public-network-access.json @@ -4,7 +4,7 @@ "displayName": "Public network access should be disabled for Container registries", "description": "Disabling public network access improves security by ensuring that container registries are not exposed on the public internet. Creating private endpoints can limit exposure of container registry resources.", "metadata": { - "category": "Network Security", + "category": "Container Registry", "version": "1.0.0", "preview": false, "deprecated": true, diff --git a/policyDefinitions/container-registry/pol-audit-acr-encrypt-with-cmk.json b/policyDefinitions/container-registry/pol-audit-acr-encrypt-with-cmk.json index a94ea9f..868da50 100644 --- a/policyDefinitions/container-registry/pol-audit-acr-encrypt-with-cmk.json +++ b/policyDefinitions/container-registry/pol-audit-acr-encrypt-with-cmk.json @@ -4,7 +4,7 @@ "displayName": "Container registries should be encrypted with a customer-managed key", "description": "Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.", "metadata": { - "category": "Network Security", + "category": "Container Registry", "version": "1.1.2", "preview": false, "deprecated": false, diff --git a/policyDefinitions/container-registry/pol-audit-acr-using-premium-sku.json b/policyDefinitions/container-registry/pol-audit-acr-using-premium-sku.json index aff39e6..d06682f 100644 --- a/policyDefinitions/container-registry/pol-audit-acr-using-premium-sku.json +++ b/policyDefinitions/container-registry/pol-audit-acr-using-premium-sku.json @@ -4,7 +4,7 @@ "displayName": "Container registries should have SKUs that support Private Links", "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your container registries instead of the entire service, data leakage risks are reduced. Learn more at: https://aka.ms/acr/private-link.", "metadata": { - "category": "Network Security", + "category": "Container Registry", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/cosmos-db/pol-audit-deny-cbd-allowed-locations.json b/policyDefinitions/cosmos-db/pol-audit-deny-cbd-allowed-locations.json new file mode 100644 index 0000000..ac51d16 --- /dev/null +++ b/policyDefinitions/cosmos-db/pol-audit-deny-cbd-allowed-locations.json @@ -0,0 +1,61 @@ +{ + "name": "pol-audit-deny-cdb-allowed-locations", + "properties": { + "displayName": "Azure Cosmos DB allowed locations", + "mode": "Indexed", + "description": "This policy enables you to restrict the locations your organization can specify when deploying Azure Cosmos DB resources. Use to enforce your geo-compliance requirements.", + "metadata": { + "version": "1.1.0", + "category": "Cosmos DB", + "preview": false, + "deprecated": false, + "source_builtIn_name": "0473574d-2d43-4217-aefe-941fcdf7e684" + }, + "parameters": { + "listOfAllowedLocations": { + "type": "Array", + "metadata": { + "displayName": "Allowed locations", + "description": "The list of locations that can be specified when deploying Azure Cosmos DB resources.", + "strongType": "location" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Policy Effect", + "description": "The desired effect of the policy." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DocumentDB/databaseAccounts" + }, + { + "count": { + "field": "Microsoft.DocumentDB/databaseAccounts/Locations[*]", + "where": { + "value": "[replace(toLower(first(field('Microsoft.DocumentDB/databaseAccounts/Locations[*].locationName'))), ' ', '')]", + "in": "[parameters('listOfAllowedLocations')]" + } + }, + "notEquals": "[length(field('Microsoft.DocumentDB/databaseAccounts/Locations[*]'))]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} diff --git a/policyDefinitions/cosmos-db/pol-audit-deny-cdb-disable-public-network-access.json b/policyDefinitions/cosmos-db/pol-audit-deny-cdb-disable-public-network-access.json index 36f11b0..a5cde03 100644 --- a/policyDefinitions/cosmos-db/pol-audit-deny-cdb-disable-public-network-access.json +++ b/policyDefinitions/cosmos-db/pol-audit-deny-cdb-disable-public-network-access.json @@ -4,7 +4,7 @@ "displayName": "Azure Cosmos DB should disable public network access", "description": "Disabling public network access improves security by ensuring that your CosmosDB account isn't exposed on the public internet. Creating private endpoints can limit exposure of your CosmosDB account.", "metadata": { - "category": "Network Security", + "category": "Cosmos DB", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/cosmos-db/pol-audit-deny-cdb-encrypt-with-cmk.json b/policyDefinitions/cosmos-db/pol-audit-deny-cdb-encrypt-with-cmk.json index db4d615..edd73a7 100644 --- a/policyDefinitions/cosmos-db/pol-audit-deny-cdb-encrypt-with-cmk.json +++ b/policyDefinitions/cosmos-db/pol-audit-deny-cdb-encrypt-with-cmk.json @@ -4,7 +4,7 @@ "displayName": "Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest", "description": "Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk.", "metadata": { - "category": "Network Security", + "category": "Cosmos DB", "version": "1.1.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/cosmos-db/pol-audit-deny-cdb-firewall-rule-exists.json b/policyDefinitions/cosmos-db/pol-audit-deny-cdb-firewall-rule-exists.json index 1e4fedc..efc245f 100644 --- a/policyDefinitions/cosmos-db/pol-audit-deny-cdb-firewall-rule-exists.json +++ b/policyDefinitions/cosmos-db/pol-audit-deny-cdb-firewall-rule-exists.json @@ -4,7 +4,7 @@ "displayName": "Azure Cosmos DB accounts should have firewall rules", "description": "Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant.", "metadata": { - "category": "Network Security", + "category": "Cosmos DB", "version": "2.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/cosmos-db/pol-audit-deny-cdb-key-based-metadata-write.json b/policyDefinitions/cosmos-db/pol-audit-deny-cdb-key-based-metadata-write.json index da58771..4624dab 100644 --- a/policyDefinitions/cosmos-db/pol-audit-deny-cdb-key-based-metadata-write.json +++ b/policyDefinitions/cosmos-db/pol-audit-deny-cdb-key-based-metadata-write.json @@ -4,11 +4,10 @@ "displayName": "Azure Cosmos DB key based metadata write access should be disabled", "description": "This policy restricts Azure Cosmos DB accounts disable key based metadata write access.", "metadata": { - "category": "Data Protection", + "category": "Cosmos DB", "version": "1.0.0", "preview": false, - "deprecated": false, - "source_builtIn_name": "4750c32b-89c0-46af-bfcb-2e4541a818d5" + "deprecated": false }, "mode": "Indexed", "parameters": { diff --git a/policyDefinitions/cosmos-db/pol-audit-deny-cdb-local-auth.json b/policyDefinitions/cosmos-db/pol-audit-deny-cdb-local-auth.json index 8145ca8..e42a184 100644 --- a/policyDefinitions/cosmos-db/pol-audit-deny-cdb-local-auth.json +++ b/policyDefinitions/cosmos-db/pol-audit-deny-cdb-local-auth.json @@ -4,11 +4,10 @@ "displayName": "Cosmos DB database accounts should have local authentication methods disabled", "description": "Disabling local authentication methods improves security by ensuring that Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth.", "metadata": { - "category": "Data Protection", + "category": "Cosmos DB", "version": "1.0.0", "preview": false, - "deprecated": false, - "source_builtIn_name": "5450f5bd-9c72-4390-a9c4-a7aba4edfdd2" + "deprecated": false }, "mode": "Indexed", "parameters": { @@ -36,6 +35,24 @@ { "field": "Microsoft.DocumentDB/databaseAccounts/disableLocalAuth", "notEquals": true + }, + { + "anyOf": [ + { + "field": "Microsoft.DocumentDB/databaseAccounts/capabilities[*].name", + "notin": [ + "EnableMongo", + "EnableCassandra", + "EnableGremlin" + ] + }, + { + "count":{ + "field":"Microsoft.DocumentDB/databaseAccounts/capabilities[*]" + }, + "equals":0 + } + ] } ] }, diff --git a/policyDefinitions/cosmos-db/pol-audit-deny-cdb-minimum-tls-version.json b/policyDefinitions/cosmos-db/pol-audit-deny-cdb-minimum-tls-version.json new file mode 100644 index 0000000..ac2d6ca --- /dev/null +++ b/policyDefinitions/cosmos-db/pol-audit-deny-cdb-minimum-tls-version.json @@ -0,0 +1,69 @@ +{ + "name": "pol-audit-deny-cdb-minimum-tls-version", + "properties": { + "displayName": "Azure Cosmos DB accounts should have a minimum TLS version", + "description": "Ensure that your Azure Cosmos DB accounts are configured to use a minimum TLS version to enhance security.", + "metadata": { + "category": "Cosmos DB", + "version": "1.0.0", + "preview": false, + "deprecated": false + }, + "mode": "Indexed", + "parameters": { + "minimalTlsVersion": { + "type": "String", + "metadata": { + "displayName": "Minimum TLS Version", + "description": "Minimum version of TLS required for Cosmos DB" + }, + "allowedValues": [ + "Tls10", + "Tls11", + "Tls12" + ], + "defaultValue": "Tls12" + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DocumentDB/databaseAccounts" + }, + { + "not": { + "field": "Microsoft.DocumentDB/databaseAccounts/minimalTlsVersion", + "equals": "[parameters('minimalTlsVersion')]" + } + }, + { + "anyOf":[ + { + "value": "[replace(field('Microsoft.DocumentDB/databaseAccounts/minimalTlsVersion'),'Tls', '')]", + "less": "[replace(parameters('minimalTlsVersion'),'Tls','')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} diff --git a/policyDefinitions/data-explorer/pol-audit-adx-private-endpoints.json b/policyDefinitions/data-explorer/pol-audit-adx-private-endpoints.json index 57a7c22..1efed97 100644 --- a/policyDefinitions/data-explorer/pol-audit-adx-private-endpoints.json +++ b/policyDefinitions/data-explorer/pol-audit-adx-private-endpoints.json @@ -4,7 +4,7 @@ "displayName": "Azure Data Explorer Cluster should use private link", "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Data Explorer cluster, data leakage risks are reduced. Learn more about private links at: https://learn.microsoft.com/en-us/azure/data-explorer/security-network-private-endpoint.", "metadata": { - "category": "Network Security", + "category": "Data Explorer", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/data-explorer/pol-deny-adx-disk-encryption.json b/policyDefinitions/data-explorer/pol-deny-adx-disk-encryption.json index 5decab3..c09699d 100644 --- a/policyDefinitions/data-explorer/pol-deny-adx-disk-encryption.json +++ b/policyDefinitions/data-explorer/pol-deny-adx-disk-encryption.json @@ -4,7 +4,7 @@ "displayName": "Disk encryption should be enabled on Azure Data Explorer", "description": "Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments.", "metadata": { - "category": "Data Protection", + "category": "Data Explorer", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/data-explorer/pol-deny-adx-double-encryption.json b/policyDefinitions/data-explorer/pol-deny-adx-double-encryption.json index b865d4e..aeb9ceb 100644 --- a/policyDefinitions/data-explorer/pol-deny-adx-double-encryption.json +++ b/policyDefinitions/data-explorer/pol-deny-adx-double-encryption.json @@ -4,7 +4,7 @@ "displayName": "Double encryption should be enabled on Azure Data Explorer", "description": "Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys.", "metadata": { - "category": "Data Protection", + "category": "Data Explorer", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/data-explorer/pol-deny-adx-encrypt-with-cmk.json b/policyDefinitions/data-explorer/pol-deny-adx-encrypt-with-cmk.json index aa67a97..09ad52e 100644 --- a/policyDefinitions/data-explorer/pol-deny-adx-encrypt-with-cmk.json +++ b/policyDefinitions/data-explorer/pol-deny-adx-encrypt-with-cmk.json @@ -4,7 +4,7 @@ "displayName": "Azure Data Explorer encryption at rest should use a customer-managed key", "description": "Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys.", "metadata": { - "category": "Data Protection", + "category": "Data Explorer", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/data-explorer/pol-deny-adx-public-network-access.json b/policyDefinitions/data-explorer/pol-deny-adx-public-network-access.json index b376410..cfd2114 100644 --- a/policyDefinitions/data-explorer/pol-deny-adx-public-network-access.json +++ b/policyDefinitions/data-explorer/pol-deny-adx-public-network-access.json @@ -4,7 +4,7 @@ "displayName": "Public network access on Azure Data Explorer should be disabled", "description": "Disabling the public network access property improves security by ensuring Azure Data Explorer can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules.", "metadata": { - "category": "Network Security", + "category": "Data Explorer", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/data-factory/pol-audit-adf-private-endpoints.json b/policyDefinitions/data-factory/pol-audit-adf-private-endpoints.json index 8923d9a..4007543 100644 --- a/policyDefinitions/data-factory/pol-audit-adf-private-endpoints.json +++ b/policyDefinitions/data-factory/pol-audit-adf-private-endpoints.json @@ -4,7 +4,7 @@ "displayName": "Azure Data Factory should use private link", "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link.", "metadata": { - "category": "Network Security", + "category": "Data Factory", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/data-factory/pol-audit-adf-use-git-for-source-control.json b/policyDefinitions/data-factory/pol-audit-adf-use-git-for-source-control.json index e6a0d34..3adf8e4 100644 --- a/policyDefinitions/data-factory/pol-audit-adf-use-git-for-source-control.json +++ b/policyDefinitions/data-factory/pol-audit-adf-use-git-for-source-control.json @@ -4,7 +4,7 @@ "displayName": "Azure Data Factory should use a Git repository for source control", "description": "Enable source control on data factories, to gain capabilities such as change tracking, collaboration, continuous integration, and deployment.", "metadata": { - "category": "Data Protection", + "category": "Data Factory", "version": "1.0.0-preview", "preview": true, "deprecated": false, diff --git a/policyDefinitions/data-factory/pol-audit-deny-adf-linked-services-should-use-key-vault.json b/policyDefinitions/data-factory/pol-audit-deny-adf-linked-services-should-use-key-vault.json index ad3c91a..20d1cd2 100644 --- a/policyDefinitions/data-factory/pol-audit-deny-adf-linked-services-should-use-key-vault.json +++ b/policyDefinitions/data-factory/pol-audit-deny-adf-linked-services-should-use-key-vault.json @@ -4,7 +4,7 @@ "displayName": "Azure Data Factory linked services should use Key Vault for storing secrets", "description": "To ensure secrets (such as connection strings) are managed securely, require users to provide secrets using an Azure Key Vault instead of specifying them inline in linked services.", "metadata": { - "category": "Data Protection", + "category": "Data Factory", "version": "1.0.0-preview", "preview": true, "deprecated": false, diff --git a/policyDefinitions/data-factory/pol-deny-adf-ir-limit-number-of-cores.json b/policyDefinitions/data-factory/pol-deny-adf-ir-limit-number-of-cores.json index 9a9a17a..775ad54 100644 --- a/policyDefinitions/data-factory/pol-deny-adf-ir-limit-number-of-cores.json +++ b/policyDefinitions/data-factory/pol-deny-adf-ir-limit-number-of-cores.json @@ -4,7 +4,7 @@ "displayName": "Azure Data Factory integration runtime should have a limit for number of cores", "description": "To manage your resources and costs, limit the number of cores for an integration runtime.", "metadata": { - "category": "Cost Management", + "category": "Data Factory", "version": "1.0.0-preview", "preview": true, "deprecated": false, diff --git a/policyDefinitions/data-factory/pol-modify-adf-disable-public-network-access.json b/policyDefinitions/data-factory/pol-modify-adf-disable-public-network-access.json index 9ac3049..0f0a991 100644 --- a/policyDefinitions/data-factory/pol-modify-adf-disable-public-network-access.json +++ b/policyDefinitions/data-factory/pol-modify-adf-disable-public-network-access.json @@ -4,7 +4,7 @@ "displayName": "Configure Data Factories to disable public network access", "description": "Disable public network access for your Data Factory so that it is not accessible over the public internet. This can reduce data leakage risks.", "metadata": { - "category": "Network Security", + "category": "Data Factory", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/databricks/pol-deny-adb-cluster-public-network-access.json b/policyDefinitions/databricks/pol-deny-adb-cluster-public-network-access.json index fc1c0af..e7036c1 100644 --- a/policyDefinitions/databricks/pol-deny-adb-cluster-public-network-access.json +++ b/policyDefinitions/databricks/pol-deny-adb-cluster-public-network-access.json @@ -4,7 +4,7 @@ "displayName": "Azure Databricks Clusters should disable public IP", "description": "Disabling public IP of clusters in Azure Databricks Workspaces improves security by ensuring that the clusters aren't exposed on the public internet. Learn more at: https://learn.microsoft.com/azure/databricks/security/secure-cluster-connectivity.", "metadata": { - "category": "Network Security", + "category": "Databricks", "version": "1.0.1", "preview": false, "deprecated": false, diff --git a/policyDefinitions/databricks/pol-deny-adb-workspace-public-network-access.json b/policyDefinitions/databricks/pol-deny-adb-workspace-public-network-access.json index c84488b..c66c9bd 100644 --- a/policyDefinitions/databricks/pol-deny-adb-workspace-public-network-access.json +++ b/policyDefinitions/databricks/pol-deny-adb-workspace-public-network-access.json @@ -4,7 +4,7 @@ "displayName": "Azure Databricks Workspaces should disable public network access", "description": "Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can control exposure of your resources by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/private-link.", "metadata": { - "category": "Network Security", + "category": "Databricks", "version": "1.0.1", "preview": false, "deprecated": false, diff --git a/policyDefinitions/databricks/pol-deny-adb-workspace-sku.json b/policyDefinitions/databricks/pol-deny-adb-workspace-sku.json index 6ff5137..d30344b 100644 --- a/policyDefinitions/databricks/pol-deny-adb-workspace-sku.json +++ b/policyDefinitions/databricks/pol-deny-adb-workspace-sku.json @@ -4,7 +4,7 @@ "displayName": "Azure Databricks workspaces should be Premium SKU that supports features like private link", "description": "Only allow Databricks workspace with Premium Sku that your organization can deploy to support features like Private Link, customer-managed key for encryption. Learn more at: https://aka.ms/adbpe.", "metadata": { - "category": "Network Security", + "category": "Databricks", "version": "1.0.1", "preview": false, "deprecated": false, @@ -16,7 +16,7 @@ "type": "String", "metadata": { "displayName": "Effect", - "description": "Enable or disable the execution of the audit policy" + "description": "The desired effect of the policy." }, "allowedValues": [ "Audit", diff --git a/policyDefinitions/databricks/pol-deny-adb-workspace-vnet.json b/policyDefinitions/databricks/pol-deny-adb-workspace-vnet.json index b32e469..d635b0e 100644 --- a/policyDefinitions/databricks/pol-deny-adb-workspace-vnet.json +++ b/policyDefinitions/databricks/pol-deny-adb-workspace-vnet.json @@ -4,7 +4,7 @@ "displayName": "Azure Databricks Workspaces should be in a virtual network", "description": "Azure Virtual Networks provide enhanced security and isolation for your Azure Databricks Workspaces, as well as subnets, access control policies, and other features to further restrict access. Learn more at: https://docs.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject.", "metadata": { - "category": "Network Security", + "category": "Databricks", "version": "1.0.2", "preview": false, "deprecated": false, diff --git a/policyDefinitions/databricks/pol-deploy-adb-private-dns-zones.json b/policyDefinitions/databricks/pol-deploy-adb-private-dns-zones.json index ee13f9a..6bbf66c 100644 --- a/policyDefinitions/databricks/pol-deploy-adb-private-dns-zones.json +++ b/policyDefinitions/databricks/pol-deploy-adb-private-dns-zones.json @@ -4,7 +4,7 @@ "displayName": "Configure Azure Databricks workspace to use private DNS zones", "description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Databricks workspaces. Learn more at: https://aka.ms/adbpe.", "metadata": { - "category": "Network Security", + "category": "Databricks", "version": "1.0.0", "preview": false, "deprecated": false @@ -36,7 +36,7 @@ "type": "String", "metadata": { "displayName": "Effect", - "description": "Enable or disable the execution of the policy" + "description": "The desired effect of the policy." }, "allowedValues": [ "DeployIfNotExists", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-aa.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-aa.json index d71e161..fe34589 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-aa.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-aa.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-aci.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-aci.json index dbf6c7b..3bbab6e 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-aci.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-aci.json @@ -79,7 +79,7 @@ "allOf": [ { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-acr.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-acr.json index e2036f0..1ceb5ed 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-acr.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-acr.json @@ -100,13 +100,17 @@ }, { "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", - "equals": "true" + "equals": "[parameters('logsEnabled')]" } ] } }, "equals": 1 }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", "matchInsensitively": "[parameters('logAnalytics')]" diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-aks.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-aks.json index 6d5e5b7..7f9c54d 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-aks.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-aks.json @@ -103,11 +103,11 @@ "allOf": [ { "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "equals": "[parameters('logsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-analysisService.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-analysisService.json index 2c81eb1..c7efc82 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-analysisService.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-analysisService.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-apim.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-apim.json index 6744068..4c0b052 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-apim.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-apim.json @@ -102,12 +102,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-appGW.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-appGW.json index 2b14de6..f411eab 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-appGW.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-appGW.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-appInsights.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-appInsights.json index 3c569c7..ae52725 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-appInsights.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-appInsights.json @@ -39,15 +39,6 @@ ], "defaultValue": "DeployIfNotExists" }, - "logAnalytics": { - "type": "string", - "metadata": { - "displayName": "Log Analytics workspace", - "description": "Select the Log Analytics workspace from dropdown list", - "strongType": "omsWorkspace", - "assignPermissions": true - } - }, "metricsEnabled": { "type": "string", "metadata": { @@ -60,17 +51,16 @@ ], "defaultValue": "True" }, - "logsEnabled": { - "type": "string", + "logsToEnable": { + "type": "array", "metadata": { - "displayName": "Enable logs", - "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + "displayName": "Logs to be enable", + "description": "Diagnostic logs to be enabled" }, - "allowedValues": [ - "True", - "False" - ], - "defaultValue": "True" + "defaultValue": [ + "AppSystemEvents", + "OTelResources" + ] } }, "policyRule": { @@ -90,16 +80,22 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].category", + "in": "[parameters('logsToEnable')]" + } + }, + "equals": "[length(parameters('logsToEnable'))]" }, { - "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "field": "Microsoft.Insights/diagnosticSettings/metrics[*].enabled", + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", - "matchInsensitively": "[parameters('logAnalytics')]" + "matchInsensitively": "[field('Microsoft.Insights/Components/WorkspaceResourceId')]" } ] }, @@ -116,14 +112,11 @@ "resourceName": { "type": "string" }, - "logAnalytics": { - "type": "string" - }, "metricsEnabled": { "type": "string" }, - "logsEnabled": { - "type": "string" + "logsToEnable": { + "type": "array" }, "location": { "type": "string" @@ -138,7 +131,7 @@ "location": "[parameters('location')]", "dependsOn": [], "properties": { - "workspaceId": "[parameters('logAnalytics')]", + "workspaceId": "[reference(resourceId('Microsoft.Insights/Components', parameters('resourceName')), '2020-02-02', 'Full').properties.WorkspaceResourceId]", "metrics": [ { "category": "AllMetrics", @@ -150,10 +143,14 @@ "timeGrain": null } ], - "logs": [ + "copy": [ { - "categoryGroup": "allLogs", - "enabled": "[parameters('logsEnabled')]" + "name": "logs", + "count": "[length(parameters('logsToEnable'))]", + "input": { + "category": "[parameters('logsToEnable')[copyIndex('logs')]]", + "enabled": "True" + } } ] } @@ -165,14 +162,11 @@ "profileName": { "value": "[parameters('profileName')]" }, - "logAnalytics": { - "value": "[parameters('logAnalytics')]" - }, "metricsEnabled": { "value": "[parameters('metricsEnabled')]" }, - "logsEnabled": { - "value": "[parameters('logsEnabled')]" + "logsToEnable": { + "value": "[parameters('logsToEnable')]" }, "location": { "value": "[field('location')]" diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-ase.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-ase.json index 56f19d1..dd37c1b 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-ase.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-ase.json @@ -79,7 +79,7 @@ "allOf": [ { "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "equals": "[parameters('logsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-batch.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-batch.json index 1a8135f..53a68fd 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-batch.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-batch.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-cdnEndpoints.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-cdnEndpoints.json index 05675f7..09abfc4 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-cdnEndpoints.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-cdnEndpoints.json @@ -78,8 +78,22 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-cdnProfiles.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-cdnProfiles.json index 732d711..0ea8ec7 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-cdnProfiles.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-cdnProfiles.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-cognitive.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-cognitive.json index ce16ad1..1b9575e 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-cognitive.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-cognitive.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", @@ -154,10 +168,6 @@ { "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" - }, - { - "categoryGroup": "audit", - "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-cognitiveProjects.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-cognitiveProjects.json new file mode 100644 index 0000000..a40f627 --- /dev/null +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-cognitiveProjects.json @@ -0,0 +1,204 @@ +{ + "name": "pol-deploy-diag-cognitiveProjects", + "properties": { + "displayName": "Deploys the diagnostic settings for Cognitive Services Projects to Log Analytics workspace", + "description": "This policy automatically deploys and enable diagnostic settings to Log Analytics", + "metadata": { + "category": "Logging and monitoring", + "version": "1.0.0", + "preview": false, + "deprecated": false + }, + "mode": "All", + "parameters": { + "profileName": { + "type": "string", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setByPolicy" + }, + "evaluationDelay": { + "type": "string", + "metadata": { + "displayName": "Evaluation Delay", + "description": "Specifies when the existence of the related resources should be evaluated. The delay is only used for evaluations that are a result of a create or update resource request. Allowed values are AfterProvisioning, AfterProvisioningSuccess, AfterProvisioningFailure, or an ISO 8601 duration between 0 and 360 minutes." + }, + "defaultValue": "AfterProvisioning" + }, + "effect": { + "type": "string", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "logAnalytics": { + "type": "string", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace", + "assignPermissions": true + } + }, + "metricsEnabled": { + "type": "string", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "logsEnabled": { + "type": "string", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts/projects" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "evaluationDelay": "[parameters('evaluationDelay')]", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "matchInsensitively": "[parameters('logAnalytics')]" + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "profileName": { + "type": "string" + }, + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "metricsEnabled": { + "type": "string" + }, + "logsEnabled": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.CognitiveServices/accounts/projects/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "profileName": { + "value": "[parameters('profileName')]" + }, + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('fullName')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-cosmosDB.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-cosmosDB.json index d6246a6..e8fb46b 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-cosmosDB.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-cosmosDB.json @@ -102,12 +102,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", @@ -166,43 +180,20 @@ "enabled": false }, "timeGrain": null + }, + { + "category": "SLI", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null } ], "logs": [ { - "category": "DataPlaneRequests", - "enabled": "[parameters('logsEnabled')]" - }, - { - "category": "MongoRequests", - "enabled": "[parameters('logsEnabled')]" - }, - { - "category": "QueryRuntimeStatistics", - "enabled": "[parameters('logsEnabled')]" - }, - { - "category": "PartitionKeyStatistics", - "enabled": "[parameters('logsEnabled')]" - }, - { - "category": "PartitionKeyRUConsumption", - "enabled": "[parameters('logsEnabled')]" - }, - { - "category": "ControlPlaneRequests", - "enabled": "[parameters('logsEnabled')]" - }, - { - "category": "CassandraRequests", - "enabled": "[parameters('logsEnabled')]" - }, - { - "category": "GremlinRequests", - "enabled": "[parameters('logsEnabled')]" - }, - { - "category": "TableApiRequests", + "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" } ] diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-dataFactory.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-dataFactory.json index 6d30698..01db3c6 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-dataFactory.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-dataFactory.json @@ -101,13 +101,27 @@ ], "existenceCondition": { "allOf": [ - { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-databricks.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-databricks.json index 6bf3b92..cf6426b 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-databricks.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-databricks.json @@ -85,9 +85,23 @@ ], "existenceCondition": { "allOf": [ - { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" +{ + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-dlanalytics.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-dlanalytics.json index 7a26033..0aaebb2 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-dlanalytics.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-dlanalytics.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-dlstore.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-dlstore.json index 9b62ebd..dc88449 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-dlstore.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-dlstore.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-eventGridSub.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-eventGridSub.json index fe8ba57..d7ddcf7 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-eventGridSub.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-eventGridSub.json @@ -79,7 +79,7 @@ "allOf": [ { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-eventGridSystemTopic.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-eventGridSystemTopic.json index fa93e56..b168b47 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-eventGridSystemTopic.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-eventGridSystemTopic.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-eventGridTopic.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-eventGridTopic.json index 1109f43..3c2b83e 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-eventGridTopic.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-eventGridTopic.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", @@ -154,10 +168,6 @@ { "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" - }, - { - "categoryGroup": "audit", - "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-eventhub.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-eventhub.json index bf6a481..a39a539 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-eventhub.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-eventhub.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", @@ -154,10 +168,6 @@ { "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" - }, - { - "categoryGroup": "audit", - "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-expressRoutes.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-expressRoutes.json index 58aca43..18b0bbf 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-expressRoutes.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-expressRoutes.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-firewall.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-firewall.json index 0868bc0..a18a12b 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-firewall.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-firewall.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-frontDoor.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-frontDoor.json index 768ebe3..7390d73 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-frontDoor.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-frontDoor.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-function.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-function.json index fe3d1cb..73a8389 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-function.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-function.json @@ -120,7 +120,7 @@ }, { "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", - "equals": "true" + "equals": "[parameters('logsEnabled')]" } ] } @@ -129,7 +129,7 @@ }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-hdInsight.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-hdInsight.json index 231c227..296b0a7 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-hdInsight.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-hdInsight.json @@ -79,7 +79,7 @@ "allOf": [ { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-iothub.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-iothub.json index e19b60c..0170bfc 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-iothub.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-iothub.json @@ -102,12 +102,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", @@ -172,10 +186,6 @@ { "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" - }, - { - "categoryGroup": "audit", - "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-kv.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-kv.json index 503b536..ca49909 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-kv.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-kv.json @@ -102,12 +102,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", @@ -172,10 +186,6 @@ { "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" - }, - { - "categoryGroup": "audit", - "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-la.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-la.json index db08e79..e98fb85 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-la.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-la.json @@ -89,13 +89,27 @@ ], "existenceCondition": { "allOf": [ - { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" +{ + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", @@ -154,10 +168,6 @@ { "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" - }, - { - "categoryGroup": "audit", - "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-lb.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-lb.json index c63c989..744315e 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-lb.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-lb.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-logicAppsIntegrationAccounts.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-logicAppsIntegrationAccounts.json index 0309586..a1fe214 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-logicAppsIntegrationAccounts.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-logicAppsIntegrationAccounts.json @@ -77,9 +77,23 @@ ], "existenceCondition": { "allOf": [ - { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" +{ + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-logicAppsWorkflow.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-logicAppsWorkflow.json index 9685af2..8c776fb 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-logicAppsWorkflow.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-logicAppsWorkflow.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-mariaDB.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-mariaDB.json index 0b689da..22182d0 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-mariaDB.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-mariaDB.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-mlworkspace.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-mlworkspace.json index f9f7c6c..b7df0ff 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-mlworkspace.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-mlworkspace.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", @@ -154,10 +168,6 @@ { "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" - }, - { - "categoryGroup": "audit", - "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-mySql.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-mySql.json index 99e9f6f..4d8858f 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-mySql.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-mySql.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-nic.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-nic.json index 73f5f1c..d68daea 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-nic.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-nic.json @@ -79,7 +79,7 @@ "allOf": [ { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-nsg.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-nsg.json index 4d81fd3..31c822d 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-nsg.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-nsg.json @@ -77,9 +77,23 @@ ], "existenceCondition": { "allOf": [ - { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-pip.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-pip.json index 56022db..a15da40 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-pip.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-pip.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", @@ -154,10 +168,6 @@ { "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" - }, - { - "categoryGroup": "audit", - "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-postgreSQL.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-postgreSQL.json index 26b0710..d6c2e75 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-postgreSQL.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-postgreSQL.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", @@ -154,10 +168,6 @@ { "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" - }, - { - "categoryGroup": "audit", - "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-powerBIEmbedded.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-powerBIEmbedded.json index 9062096..4c72504 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-powerBIEmbedded.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-powerBIEmbedded.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-redisCache.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-redisCache.json index 2b1025f..ab1998f 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-redisCache.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-redisCache.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", @@ -154,10 +168,6 @@ { "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" - }, - { - "categoryGroup": "audit", - "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-relay.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-relay.json index 7128e00..204869c 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-relay.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-relay.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-rsv.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-rsv.json index 1c12ae6..322cfbf 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-rsv.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-rsv.json @@ -102,12 +102,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-searchService.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-searchService.json index 23f156e..543b256 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-searchService.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-searchService.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-serviceBus.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-serviceBus.json index 7e2a107..9102a43 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-serviceBus.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-serviceBus.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", @@ -154,10 +168,6 @@ { "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" - }, - { - "categoryGroup": "audit", - "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-signalR.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-signalR.json index 2d79274..2cae50e 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-signalR.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-signalR.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-sqlDBs.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-sqlDBs.json index 9e93bc1..ab85fb8 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-sqlDBs.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-sqlDBs.json @@ -98,12 +98,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", @@ -180,10 +194,6 @@ { "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" - }, - { - "categoryGroup": "audit", - "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-sqlElasticPools.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-sqlElasticPools.json index 17de2ae..e562dba 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-sqlElasticPools.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-sqlElasticPools.json @@ -79,7 +79,7 @@ "allOf": [ { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-sqlMi.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-sqlMi.json index 9d2852a..be33921 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-sqlMi.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-sqlMi.json @@ -78,8 +78,22 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-sqlMiDBs.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-sqlMiDBs.json index 61be7ca..8f345ac 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-sqlMiDBs.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-sqlMiDBs.json @@ -78,8 +78,22 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-storageAccount.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-storageAccount.json index 8079de5..36ae7ad 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-storageAccount.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-storageAccount.json @@ -91,11 +91,11 @@ "allOf": [ { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "equals": "[parameters('logsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", @@ -152,15 +152,7 @@ ], "logs": [ { - "category": "StorageRead", - "enabled": "[parameters('logsEnabled')]" - }, - { - "category": "StorageWrite", - "enabled": "[parameters('logsEnabled')]" - }, - { - "category": "StorageDelete", + "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" } ] @@ -187,15 +179,7 @@ ], "logs": [ { - "category": "StorageRead", - "enabled": "[parameters('logsEnabled')]" - }, - { - "category": "StorageWrite", - "enabled": "[parameters('logsEnabled')]" - }, - { - "category": "StorageDelete", + "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" } ] @@ -222,15 +206,7 @@ ], "logs": [ { - "category": "StorageRead", - "enabled": "[parameters('logsEnabled')]" - }, - { - "category": "StorageWrite", - "enabled": "[parameters('logsEnabled')]" - }, - { - "category": "StorageDelete", + "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" } ] @@ -257,15 +233,7 @@ ], "logs": [ { - "category": "StorageRead", - "enabled": "[parameters('logsEnabled')]" - }, - { - "category": "StorageWrite", - "enabled": "[parameters('logsEnabled')]" - }, - { - "category": "StorageDelete", + "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" } ] diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-streamAnalyticsJobs.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-streamAnalyticsJobs.json index 9c73530..7b7d502 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-streamAnalyticsJobs.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-streamAnalyticsJobs.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-sub.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-sub.json index d52a96a..a092cde 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-sub.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-sub.json @@ -81,7 +81,7 @@ "allOf": [ { "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "equals": "[parameters('logsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-synapseAnalytics.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-synapseAnalytics.json index fe2a4f3..754aa40 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-synapseAnalytics.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-synapseAnalytics.json @@ -79,7 +79,7 @@ "allOf": [ { "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "equals": "[parameters('logsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-timeSeriesInsights.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-timeSeriesInsights.json index 4fd6e7f..5c5ad6b 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-timeSeriesInsights.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-timeSeriesInsights.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-trafficManager.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-trafficManager.json index 2320ee2..56edd5c 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-trafficManager.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-trafficManager.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-vnet.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-vnet.json index 6b6e660..3a1ef23 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-vnet.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-vnet.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-vnetGW.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-vnetGW.json index 40a4547..3253794 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-vnetGW.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-vnetGW.json @@ -89,13 +89,27 @@ ], "existenceCondition": { "allOf": [ - { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" +{ + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", @@ -154,10 +168,6 @@ { "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" - }, - { - "categoryGroup": "audit", - "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-vpnGW.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-vpnGW.json index 169e7e5..0c02559 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-vpnGW.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-vpnGW.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-webServerFarm.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-webServerFarm.json index e909b3b..5ef86ce 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-webServerFarm.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-webServerFarm.json @@ -79,7 +79,7 @@ "allOf": [ { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-website.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-website.json index c273bd9..9187d42 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-website.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-website.json @@ -120,7 +120,7 @@ }, { "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", - "equals": "true" + "equals": "[parameters('logsEnabled')]" } ] } @@ -129,7 +129,7 @@ }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/general/pol-deny-general-allowed-locations.json b/policyDefinitions/general/pol-deny-general-allowed-locations.json index 0cde8bf..2ef2e34 100644 --- a/policyDefinitions/general/pol-deny-general-allowed-locations.json +++ b/policyDefinitions/general/pol-deny-general-allowed-locations.json @@ -4,7 +4,7 @@ "displayName": "Allowed locations", "description": "This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region.", "metadata": { - "category": "Identity and Access Management", + "category": "General", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/general/pol-deny-resource-provider.json b/policyDefinitions/general/pol-deny-resource-provider.json index dc7469a..646431d 100644 --- a/policyDefinitions/general/pol-deny-resource-provider.json +++ b/policyDefinitions/general/pol-deny-resource-provider.json @@ -4,7 +4,7 @@ "displayName": "Deny Resource Provider", "description": "This policy enables you to restrict all resources from a specific resource provider from being created.", "metadata": { - "category": "Asset Management", + "category": "General", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/general/pol-deny-resource-type.json b/policyDefinitions/general/pol-deny-resource-type.json index 23afedd..32cc8e8 100644 --- a/policyDefinitions/general/pol-deny-resource-type.json +++ b/policyDefinitions/general/pol-deny-resource-type.json @@ -4,7 +4,7 @@ "displayName": "Deny Resource Type", "description": "This policy enables you to restrict a specific type of resource from being created.", "metadata": { - "category": "Asset Management", + "category": "General", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/key-vault/pol-append-kv-soft-delete-purge-protection.json b/policyDefinitions/key-vault/pol-append-kv-soft-delete-purge-protection.json index fbec811..6a0cda0 100644 --- a/policyDefinitions/key-vault/pol-append-kv-soft-delete-purge-protection.json +++ b/policyDefinitions/key-vault/pol-append-kv-soft-delete-purge-protection.json @@ -4,7 +4,7 @@ "displayName": "Automatically enable Key vault Soft-Delete and Purge Protection", "description": "This policy automatically enables Soft-Delete and Purge Protection for the Azure Key Vault if not already enabled.", "metadata": { - "category": "Data Protection", + "category": "Key Vault", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/key-vault/pol-audit-deny-kv-public-network-access.json b/policyDefinitions/key-vault/pol-audit-deny-kv-public-network-access.json index d8e9b95..7911f5c 100644 --- a/policyDefinitions/key-vault/pol-audit-deny-kv-public-network-access.json +++ b/policyDefinitions/key-vault/pol-audit-deny-kv-public-network-access.json @@ -4,7 +4,7 @@ "displayName": "Azure Key Vault should disable public network access", "description": "Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks.", "metadata": { - "category": "Network Security", + "category": "Key Vault", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/key-vault/pol-enforce-kv-purge-protection.json b/policyDefinitions/key-vault/pol-enforce-kv-purge-protection.json index 9a3ed3c..ebef1fc 100644 --- a/policyDefinitions/key-vault/pol-enforce-kv-purge-protection.json +++ b/policyDefinitions/key-vault/pol-enforce-kv-purge-protection.json @@ -4,7 +4,7 @@ "displayName": "Key vaults should have purge protection enabled", "description": "Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.", "metadata": { - "category": "Identity and Access management", + "category": "Key Vault", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/key-vault/pol-enforce-kv-rbac-authorization.json b/policyDefinitions/key-vault/pol-enforce-kv-rbac-authorization.json index 0a2a165..ddae62d 100644 --- a/policyDefinitions/key-vault/pol-enforce-kv-rbac-authorization.json +++ b/policyDefinitions/key-vault/pol-enforce-kv-rbac-authorization.json @@ -4,7 +4,7 @@ "displayName": "Azure Key Vault should use RBAC permission model", "description": "Enable RBAC permission model across Key Vaults. Learn more at: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-migration", "metadata": { - "category": "Identity and Access management", + "category": "Key Vault", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/log-analytics/pol-audit-law-table-retention.json b/policyDefinitions/log-analytics/pol-audit-law-table-retention.json index 40f3f64..a63471f 100644 --- a/policyDefinitions/log-analytics/pol-audit-law-table-retention.json +++ b/policyDefinitions/log-analytics/pol-audit-law-table-retention.json @@ -4,7 +4,7 @@ "displayName": "Audit Log Analytics workspace table retention", "description": "Audit the minimum data retention for Log Analytics tables.", "metadata": { - "category": "Data Protection", + "category": "Log Analytics", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/network-security-group/pol-allowed-service-tags-in-nsg-rule.json b/policyDefinitions/network-security-group/pol-allowed-service-tags-in-nsg-rule.json index 9c041b0..898f0fb 100644 --- a/policyDefinitions/network-security-group/pol-allowed-service-tags-in-nsg-rule.json +++ b/policyDefinitions/network-security-group/pol-allowed-service-tags-in-nsg-rule.json @@ -5,7 +5,7 @@ "mode": "All", "description": "This policy restrict the use of disallowed service tags in Network Security Group Security Rules.", "metadata": { - "category": "Network Security", + "category": "Network Security Group", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/network-security-group/pol-deny-service-tag-in-nsg-rule.json b/policyDefinitions/network-security-group/pol-deny-service-tag-in-nsg-rule.json index 132d701..14e3bed 100644 --- a/policyDefinitions/network-security-group/pol-deny-service-tag-in-nsg-rule.json +++ b/policyDefinitions/network-security-group/pol-deny-service-tag-in-nsg-rule.json @@ -5,7 +5,7 @@ "mode": "All", "description": "This policy restricts the use of specific service tag in NSG rules", "metadata": { - "category": "Network Security", + "category": "Network Security Group", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/network-security-group/pol-deny-service-tag-in-nsg.json b/policyDefinitions/network-security-group/pol-deny-service-tag-in-nsg.json index 328b75d..e395188 100644 --- a/policyDefinitions/network-security-group/pol-deny-service-tag-in-nsg.json +++ b/policyDefinitions/network-security-group/pol-deny-service-tag-in-nsg.json @@ -5,7 +5,7 @@ "mode": "All", "description": "This policy deny's the use of specific service tag in NSG rules", "metadata": { - "category": "Network Security", + "category": "Network Security Group", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/network-security-group/pol-deploy-nsg-flow-logs-traffic-analytics.json b/policyDefinitions/network-security-group/pol-deploy-nsg-flow-logs-traffic-analytics.json index 7c29169..7c02e3b 100644 --- a/policyDefinitions/network-security-group/pol-deploy-nsg-flow-logs-traffic-analytics.json +++ b/policyDefinitions/network-security-group/pol-deploy-nsg-flow-logs-traffic-analytics.json @@ -1,13 +1,13 @@ { "name": "pol-deploy-nsg-flow-logs-traffic-analytics", "properties": { - "displayName": "Configure network security groups to enable traffic analytics", + "displayName": "[Deprecated] Configure network security groups to enable traffic analytics", "description": "Traffic analytics can be enabled for all network security groups hosted in a particular region with the settings provided during policy creation. If it already has Traffic analytics enabled, then policy does not overwrite its settings. Flow Logs are also enabled for the Network security groups that do not have it. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks.", "metadata": { "category": "Logging and monitoring", "version": "1.0.0", "preview": false, - "deprecated": false, + "deprecated": true, "source_builtIn_name": "e920df7f-9a64-4066-9b58-52684c02a091" }, "mode": "Indexed", diff --git a/policyDefinitions/private-endpoint/pol-deny-auto-approved-pe.json b/policyDefinitions/private-endpoint/pol-deny-auto-approved-pe.json index c6e0d33..e75e132 100644 --- a/policyDefinitions/private-endpoint/pol-deny-auto-approved-pe.json +++ b/policyDefinitions/private-endpoint/pol-deny-auto-approved-pe.json @@ -4,7 +4,7 @@ "displayName": "Restrict Automatically Approved Private Endpoints for a resource type", "description": "When creating a Private Endpoint for a selected resource type, the Private Endpoint must be configured for manual approval.", "metadata": { - "category": "Network Security", + "category": "Private Endpoint", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/private-endpoint/pol-restrict-cross-sub-pe.json b/policyDefinitions/private-endpoint/pol-restrict-cross-sub-pe.json index 0eb0af2..87a8cf0 100644 --- a/policyDefinitions/private-endpoint/pol-restrict-cross-sub-pe.json +++ b/policyDefinitions/private-endpoint/pol-restrict-cross-sub-pe.json @@ -5,7 +5,7 @@ "description": "This policy restrict cross-subscription Private Endpoints except for the service aliases or resource Ids from the approved list.", "mode": "Indexed", "metadata": { - "category": "Network Security", + "category": "Private Endpoint", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/private-endpoint/pol-restrict-pe-group-id.json b/policyDefinitions/private-endpoint/pol-restrict-pe-group-id.json index 9332896..c1ba9ef 100644 --- a/policyDefinitions/private-endpoint/pol-restrict-pe-group-id.json +++ b/policyDefinitions/private-endpoint/pol-restrict-pe-group-id.json @@ -5,7 +5,7 @@ "mode": "Indexed", "description": "This policy deny's the use of specific Group Id in Private Endpoints", "metadata": { - "category": "Network Security", + "category": "Private Endpoint", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-multiple-dns-zones-all-locations.json b/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-multiple-dns-zones-all-locations.json index 6fd903e..e19b443 100644 --- a/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-multiple-dns-zones-all-locations.json +++ b/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-multiple-dns-zones-all-locations.json @@ -4,7 +4,7 @@ "displayName": "Configure Private Endpoints to use Private DNS Zones (Multiple DNS Zones All Locations)", "description": "This policy creates a Private DNS Group link for a Azure PaaS Private Endpoint Resource that requires DNS records in multiple Private DNS zones.", "metadata": { - "category": "Network Security", + "category": "Private Endpoint", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-multiple-dns-zones-single-location.json b/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-multiple-dns-zones-single-location.json index 7d54256..026e8f3 100644 --- a/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-multiple-dns-zones-single-location.json +++ b/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-multiple-dns-zones-single-location.json @@ -4,7 +4,7 @@ "displayName": "Configure Private Endpoints to use Private DNS Zones (Multiple DNS Zones Single Location)", "description": "This policy creates a Private DNS Group link for a Azure PaaS Private Endpoint Resource that requires DNS records in multiple Private DNS zones.", "metadata": { - "category": "Network Security", + "category": "Private Endpoint", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-single-dns-zone-all-locations.json b/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-single-dns-zone-all-locations.json index 50eaf53..7290c2d 100644 --- a/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-single-dns-zone-all-locations.json +++ b/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-single-dns-zone-all-locations.json @@ -4,7 +4,7 @@ "displayName": "Configure Private Endpoints to use Private DNS Zones (Single DNS Zone All Locations)", "description": "This policy creates a Private DNS Group link for a Azure PaaS Private Endpoint Resource that requires a DNS record in a single Private DNS zone.", "metadata": { - "category": "Network Security", + "category": "Private Endpoint", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-single-dns-zone-single-location.json b/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-single-dns-zone-single-location.json index 85f5632..d1b5bb3 100644 --- a/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-single-dns-zone-single-location.json +++ b/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-single-dns-zone-single-location.json @@ -4,7 +4,7 @@ "displayName": "Configure Private Endpoints to use Private DNS Zones (Single DNS Zone Single Location)", "description": "This policy creates a Private DNS Group link for a Azure PaaS Private Endpoint Resource that requires a DNS record in a single location-specific Private DNS zone.", "metadata": { - "category": "Network Security", + "category": "Private Endpoint", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-single-zone-all-regions-match-groupid.json b/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-single-zone-all-regions-match-groupid.json index 7f528d4..a852a0d 100644 --- a/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-single-zone-all-regions-match-groupid.json +++ b/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-single-zone-all-regions-match-groupid.json @@ -4,7 +4,7 @@ "displayName": "Configure Private Endpoints to use Private DNS Zones (Single DNS Zone All Regions with Wildcard Group ID Match)", "description": "This policy creates a Private DNS Group link for a Azure PaaS Private Endpoint Resource that requires a DNS record in a single Private DNS zone with Wildcard Group ID Match.", "metadata": { - "category": "Network Security", + "category": "Private Endpoint", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/purview/pol-audit-deny-purview-public-network-access.json b/policyDefinitions/purview/pol-audit-deny-purview-public-network-access.json index 9567a9a..fb67c3a 100644 --- a/policyDefinitions/purview/pol-audit-deny-purview-public-network-access.json +++ b/policyDefinitions/purview/pol-audit-deny-purview-public-network-access.json @@ -4,7 +4,7 @@ "displayName": "Azure Purview Accounts should disable public network access", "description": "Disable public network access for your Azure Purview Accounts so that it's not accessible over the public internet. This can reduce data leakage risks", "metadata": { - "category": "Network Security", + "category": "Purview", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/purview/pol-audit-purview-private-endpoint.json b/policyDefinitions/purview/pol-audit-purview-private-endpoint.json index 3507bbf..811d21f 100644 --- a/policyDefinitions/purview/pol-audit-purview-private-endpoint.json +++ b/policyDefinitions/purview/pol-audit-purview-private-endpoint.json @@ -4,7 +4,7 @@ "displayName": "Azure Purview accounts should use private link", "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Purview accounts instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/purview-private-link.", "metadata": { - "category": "Network security", + "category": "Purview", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/redis-cache/pol-audit-deny-redis-disable-public-network-access.json b/policyDefinitions/redis-cache/pol-audit-deny-redis-disable-public-network-access.json index 435e089..4e7f5be 100644 --- a/policyDefinitions/redis-cache/pol-audit-deny-redis-disable-public-network-access.json +++ b/policyDefinitions/redis-cache/pol-audit-deny-redis-disable-public-network-access.json @@ -4,7 +4,7 @@ "displayName": "Azure Cache for Redis should disable public network access", "description": "Disabling public network access improves security by ensuring that the Azure Cache for Redis isn't exposed on the public internet. You can limit exposure of your Azure Cache for Redis by creating private endpoints instead.", "metadata": { - "category": "Network Security", + "category": "Redis Cache", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/redis-cache/pol-audit-deny-redis-enable-only-secure-connections.json b/policyDefinitions/redis-cache/pol-audit-deny-redis-enable-only-secure-connections.json index b4c23ba..a99fa4a 100644 --- a/policyDefinitions/redis-cache/pol-audit-deny-redis-enable-only-secure-connections.json +++ b/policyDefinitions/redis-cache/pol-audit-deny-redis-enable-only-secure-connections.json @@ -4,7 +4,7 @@ "displayName": "Only secure connections to your Azure Cache for Redis should be enabled", "description": "Deny connections to Azure Cache for Redis if not via SSL. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", "metadata": { - "category": "Data Protection", + "category": "Redis Cache", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/redis-cache/pol-audit-redis-configure-private-endpoints.json b/policyDefinitions/redis-cache/pol-audit-redis-configure-private-endpoints.json index 957b179..32562d6 100644 --- a/policyDefinitions/redis-cache/pol-audit-redis-configure-private-endpoints.json +++ b/policyDefinitions/redis-cache/pol-audit-redis-configure-private-endpoints.json @@ -4,7 +4,7 @@ "displayName": "Azure Cache for Redis should use private link", "description": "Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link.", "metadata": { - "category": "Network Security", + "category": "Redis Cache", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/rsv/pol-audit-rsv-private-endpoint.json b/policyDefinitions/rsv/pol-audit-rsv-private-endpoint.json index 53a4297..6e95014 100644 --- a/policyDefinitions/rsv/pol-audit-rsv-private-endpoint.json +++ b/policyDefinitions/rsv/pol-audit-rsv-private-endpoint.json @@ -4,7 +4,7 @@ "displayName": "Azure Recovery Services vaults should use private link for backup", "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links at: https://aka.ms/AB-PrivateEndpoints.", "metadata": { - "category": "Network security", + "category": "Recovery Services Vault", "version": "2.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/storage-account/pol-audit-storage-account-cmk-encryption.json b/policyDefinitions/storage-account/pol-audit-storage-account-cmk-encryption.json index c1f0594..805cde2 100644 --- a/policyDefinitions/storage-account/pol-audit-storage-account-cmk-encryption.json +++ b/policyDefinitions/storage-account/pol-audit-storage-account-cmk-encryption.json @@ -4,7 +4,7 @@ "displayName": "Storage accounts should use customer-managed key for encryption", "description": "TSecure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data", "metadata": { - "category": "Data Protection", + "category": "Storage Account", "version": "1.0.3", "preview": false, "deprecated": false, diff --git a/policyDefinitions/storage-account/pol-audit-storage-account-should-prevent-shared-key-access.json b/policyDefinitions/storage-account/pol-audit-storage-account-should-prevent-shared-key-access.json index c123c57..64472b5 100644 --- a/policyDefinitions/storage-account/pol-audit-storage-account-should-prevent-shared-key-access.json +++ b/policyDefinitions/storage-account/pol-audit-storage-account-should-prevent-shared-key-access.json @@ -4,7 +4,7 @@ "displayName": "Storage accounts should prevent shared key access", "description": "Audit requirement of Azure Active Directory (Azure AD) to authorize requests for your storage account. By default, requests can be authorized with either Azure Active Directory credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft.", "metadata": { - "category": "Network Security", + "category": "Storage Account", "version": "1.1.1", "preview": false, "deprecated": false, diff --git a/policyDefinitions/storage-account/pol-audit-storage-account-use-double-encryption.json b/policyDefinitions/storage-account/pol-audit-storage-account-use-double-encryption.json index fb00577..9bd53e6 100644 --- a/policyDefinitions/storage-account/pol-audit-storage-account-use-double-encryption.json +++ b/policyDefinitions/storage-account/pol-audit-storage-account-use-double-encryption.json @@ -4,7 +4,7 @@ "displayName": "Storage account encryption scopes should use double encryption for data at rest", "description": "Enable infrastructure encryption for encryption at rest of your storage account encryption scopes for added security. Infrastructure encryption ensures that your data is encrypted twice.", "metadata": { - "category": "Data Protection", + "category": "Storage Account", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/storage-account/pol-deny-storage-account-minimum-tls-version.json b/policyDefinitions/storage-account/pol-deny-storage-account-minimum-tls-version.json index ed86d5f..ef1d1db 100644 --- a/policyDefinitions/storage-account/pol-deny-storage-account-minimum-tls-version.json +++ b/policyDefinitions/storage-account/pol-deny-storage-account-minimum-tls-version.json @@ -4,7 +4,7 @@ "displayName": "Storage accounts should have the specified minimum TLS version", "description": "Configure a minimum TLS version for secure communication between the client application and the storage account. To minimize security risk, the recommended minimum TLS version is the latest released version, which is currently TLS 1.2.", "metadata": { - "category": "Network Security", + "category": "Storage Account", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/storage-account/pol-deny-storage-account-prevent-cross-tenant-repl.json b/policyDefinitions/storage-account/pol-deny-storage-account-prevent-cross-tenant-repl.json index 055e0f7..e85753c 100644 --- a/policyDefinitions/storage-account/pol-deny-storage-account-prevent-cross-tenant-repl.json +++ b/policyDefinitions/storage-account/pol-deny-storage-account-prevent-cross-tenant-repl.json @@ -4,7 +4,7 @@ "displayName": "Storage accounts should prevent cross tenant object replication", "description": "Audit restriction of object replication for your storage account. By default, users can configure object replication with a source storage account in one Azure AD tenant and a destination account in a different tenant. It is a security concern because customer's data can be replicated to a storage account that is owned by the customer. By setting allowCrossTenantReplication to false, objects replication can be configured only if both source and destination accounts are in the same Azure AD tenant.", "metadata": { - "category": "Data Protection", + "category": "Storage Account", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/storage-account/pol-deny-storage-account-public-endpoint.json b/policyDefinitions/storage-account/pol-deny-storage-account-public-endpoint.json index 2c00033..ed20755 100644 --- a/policyDefinitions/storage-account/pol-deny-storage-account-public-endpoint.json +++ b/policyDefinitions/storage-account/pol-deny-storage-account-public-endpoint.json @@ -4,7 +4,7 @@ "displayName": "Restrict Storage Account with public network access", "description": "This policy audits or denies creation of Storage Accounts that allows public network access. To be compliant with this policy, the minimum ARM API version for the 'Microsoft.storage/storageAccounts' must be 2021-06-01 or higher.", "metadata": { - "category": "Network Security", + "category": "Storage Account", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/storage-account/pol-deny-storage-account-restrict-allowed-copy-scopes.json b/policyDefinitions/storage-account/pol-deny-storage-account-restrict-allowed-copy-scopes.json index 42999b5..98e4f44 100644 --- a/policyDefinitions/storage-account/pol-deny-storage-account-restrict-allowed-copy-scopes.json +++ b/policyDefinitions/storage-account/pol-deny-storage-account-restrict-allowed-copy-scopes.json @@ -4,7 +4,7 @@ "displayName": "Storage accounts should prevent permitted copy scopes from any storage accounts", "description": "Restrict copy operations from source storage accounts that are within the same Microsoft Entra tenant or that have a private link to the same virtual network as this storage account.", "metadata": { - "category": "Data Protection", + "category": "Storage Account", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/storage-account/pol-deny-storage-account-restrict-virtual-network-rules.json b/policyDefinitions/storage-account/pol-deny-storage-account-restrict-virtual-network-rules.json index 95e231f..6d3f9d4 100644 --- a/policyDefinitions/storage-account/pol-deny-storage-account-restrict-virtual-network-rules.json +++ b/policyDefinitions/storage-account/pol-deny-storage-account-restrict-virtual-network-rules.json @@ -4,7 +4,7 @@ "displayName": "Storage accounts should restrict network access using virtual network rules", "description": "Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.", "metadata": { - "category": "Network Security", + "category": "Storage Account", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/storage-account/pol-deny-storage-account-secure-transfer.json b/policyDefinitions/storage-account/pol-deny-storage-account-secure-transfer.json index e580d50..36dcb66 100644 --- a/policyDefinitions/storage-account/pol-deny-storage-account-secure-transfer.json +++ b/policyDefinitions/storage-account/pol-deny-storage-account-secure-transfer.json @@ -4,7 +4,7 @@ "displayName": "Secure transfer to storage accounts should be enabled", "description": "Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking. Premium File Storage is excluded from this policy since NFS Shares require secure transfers to be disabled.", "metadata": { - "category": "Network Security", + "category": "Storage Account", "version": "1.0.0", "preview": false, "deprecated": true, diff --git a/policyDefinitions/storage-account/pol-deny-storage-accounts-should-restrict-network-access.json b/policyDefinitions/storage-account/pol-deny-storage-accounts-should-restrict-network-access.json index 75a56d1..fb2fa9e 100644 --- a/policyDefinitions/storage-account/pol-deny-storage-accounts-should-restrict-network-access.json +++ b/policyDefinitions/storage-account/pol-deny-storage-accounts-should-restrict-network-access.json @@ -4,7 +4,7 @@ "displayName": "Storage accounts should restrict network access", "description": "Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.", "metadata": { - "category": "Network Security", + "category": "Storage Account", "version": "1.1.1", "preview": false, "deprecated": false, diff --git a/policyDefinitions/storage-account/pol-deploy-storage-account-advanced-threat-protection.json b/policyDefinitions/storage-account/pol-deploy-storage-account-advanced-threat-protection.json index f02bd9c..261f39a 100644 --- a/policyDefinitions/storage-account/pol-deploy-storage-account-advanced-threat-protection.json +++ b/policyDefinitions/storage-account/pol-deploy-storage-account-advanced-threat-protection.json @@ -4,7 +4,7 @@ "displayName": "Deploy Advanced Threat Protection on storage accounts", "description": "This policy enables Advanced Threat Protection on storage accounts.", "metadata": { - "category": "Threat and Vulnerability Management", + "category": "Storage Account", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/storage-account/pol-deploy-storage-account-blob-soft-delete.json b/policyDefinitions/storage-account/pol-deploy-storage-account-blob-soft-delete.json index c8109bb..c32a9b1 100644 --- a/policyDefinitions/storage-account/pol-deploy-storage-account-blob-soft-delete.json +++ b/policyDefinitions/storage-account/pol-deploy-storage-account-blob-soft-delete.json @@ -4,7 +4,7 @@ "displayName": "Deploy Storage Account Blob Service Soft Delete", "description": "This policy enables soft delete for Storage Account Blob Service.", "metadata": { - "category": "Data Protection", + "category": "Storage Account", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/virtual-machine/pol-audit-deny-nic-with-ip-forwarding.json b/policyDefinitions/virtual-machine/pol-audit-deny-nic-with-ip-forwarding.json index a1d9378..4f63dc2 100644 --- a/policyDefinitions/virtual-machine/pol-audit-deny-nic-with-ip-forwarding.json +++ b/policyDefinitions/virtual-machine/pol-audit-deny-nic-with-ip-forwarding.json @@ -4,7 +4,7 @@ "displayName": "Network interfaces should disable IP forwarding", "description": "This policy audits or denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team.", "metadata": { - "category": "Network Security", + "category": "Compute", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/virtual-machine/pol-audit-deny-nic-with-public-ip.json b/policyDefinitions/virtual-machine/pol-audit-deny-nic-with-public-ip.json index 1b89b47..b8653c1 100644 --- a/policyDefinitions/virtual-machine/pol-audit-deny-nic-with-public-ip.json +++ b/policyDefinitions/virtual-machine/pol-audit-deny-nic-with-public-ip.json @@ -4,7 +4,7 @@ "displayName": "Network interfaces should not have public IPs", "description": "This policy audits or denies the network interfaces which are configured with any public IP. Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources to communicate outbound to the internet. This should be reviewed by the network security team.", "metadata": { - "category": "Network Security", + "category": "Compute", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/virtual-machine/pol-audit-deny-vm-update-assessment.json b/policyDefinitions/virtual-machine/pol-audit-deny-vm-update-assessment.json index aa1f202..8546220 100644 --- a/policyDefinitions/virtual-machine/pol-audit-deny-vm-update-assessment.json +++ b/policyDefinitions/virtual-machine/pol-audit-deny-vm-update-assessment.json @@ -4,7 +4,7 @@ "displayName": "Machines should be configured to periodically check for missing system updates", "description": "To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.", "metadata": { - "category": "Threat and Vulnerability Management", + "category": "Compute", "version": "2.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/virtual-machine/pol-audit-vm-enable-adaptive-application-controls.json b/policyDefinitions/virtual-machine/pol-audit-vm-enable-adaptive-application-controls.json index 8c9646e..258d38f 100644 --- a/policyDefinitions/virtual-machine/pol-audit-vm-enable-adaptive-application-controls.json +++ b/policyDefinitions/virtual-machine/pol-audit-vm-enable-adaptive-application-controls.json @@ -4,7 +4,7 @@ "displayName": "Adaptive application controls for defining safe applications should be enabled on your machines", "description": "Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.", "metadata": { - "category": "Compute-VM", + "category": "Compute", "version": "3.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/virtual-machine/pol-audit-vm-internet-facing-vms-should-be-protected-with-nsg.json b/policyDefinitions/virtual-machine/pol-audit-vm-internet-facing-vms-should-be-protected-with-nsg.json index 8d9d63d..c83dd11 100644 --- a/policyDefinitions/virtual-machine/pol-audit-vm-internet-facing-vms-should-be-protected-with-nsg.json +++ b/policyDefinitions/virtual-machine/pol-audit-vm-internet-facing-vms-should-be-protected-with-nsg.json @@ -4,7 +4,7 @@ "displayName": "Internet-facing virtual machines should be protected with network security groups", "description": "This policy protects your internet-facing virtual machines from potential threats by restricting access with network security groups (NSG).", "metadata": { - "category": "Network Security", + "category": "Compute", "version": "3.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/virtual-machine/pol-audit-vm-restrict-nsg-network-ports.json b/policyDefinitions/virtual-machine/pol-audit-vm-restrict-nsg-network-ports.json index f7caf33..4533574 100644 --- a/policyDefinitions/virtual-machine/pol-audit-vm-restrict-nsg-network-ports.json +++ b/policyDefinitions/virtual-machine/pol-audit-vm-restrict-nsg-network-ports.json @@ -4,7 +4,7 @@ "displayName": "All network ports should be restricted on network security groups associated to your virtual machine", "description": "Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.", "metadata": { - "category": "Compute-VM", + "category": "Compute", "version": "3.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/virtual-machine/pol-deny-vm-install-approved-extensions.json b/policyDefinitions/virtual-machine/pol-deny-vm-install-approved-extensions.json index 72c3f96..c3a22d6 100644 --- a/policyDefinitions/virtual-machine/pol-deny-vm-install-approved-extensions.json +++ b/policyDefinitions/virtual-machine/pol-deny-vm-install-approved-extensions.json @@ -4,7 +4,7 @@ "displayName": "Only approved VM extensions should be installed", "description": "This policy governs the virtual machine extensions that are not approved. Any unapproved VM extensions would be denied.", "metadata": { - "category": "Compute-VM", + "category": "Compute", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/virtual-machine/pol-deny-vm-restrict-rdp-ssh-access-from-internet.json b/policyDefinitions/virtual-machine/pol-deny-vm-restrict-rdp-ssh-access-from-internet.json index ebcde29..fd37216 100644 --- a/policyDefinitions/virtual-machine/pol-deny-vm-restrict-rdp-ssh-access-from-internet.json +++ b/policyDefinitions/virtual-machine/pol-deny-vm-restrict-rdp-ssh-access-from-internet.json @@ -4,7 +4,7 @@ "displayName": "RDP and SSH access from the Internet should be blocked", "description": "This policy denies any network security rule that allows RDP or SSH access from Internet.", "metadata": { - "category": "Network Security", + "category": "Compute", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/virtual-machine/pol-deploy-vm-iaasantimalware-extension-for-windows-servers.json b/policyDefinitions/virtual-machine/pol-deploy-vm-iaasantimalware-extension-for-windows-servers.json index c2d5c4a..c46844f 100644 --- a/policyDefinitions/virtual-machine/pol-deploy-vm-iaasantimalware-extension-for-windows-servers.json +++ b/policyDefinitions/virtual-machine/pol-deploy-vm-iaasantimalware-extension-for-windows-servers.json @@ -4,7 +4,7 @@ "displayName": "Deploy default Microsoft IaaSAntimalware extension for Windows Server with custom configurations", "description": "This policy deploys a Microsoft IaaSAntimalware extension with custom configuration when a VM is not configured with the antimalware extension.", "metadata": { - "category": "Threat and Vulnerability Management", + "category": "Compute", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/virtual-machine/pol-deploy-vm-shutdown-schedule.json b/policyDefinitions/virtual-machine/pol-deploy-vm-shutdown-schedule.json index e54a4e2..f18c3aa 100644 --- a/policyDefinitions/virtual-machine/pol-deploy-vm-shutdown-schedule.json +++ b/policyDefinitions/virtual-machine/pol-deploy-vm-shutdown-schedule.json @@ -4,7 +4,7 @@ "displayName": "Deploy Virtual Machine Auto Shutdown Schedule", "description": "This policy deploys a Auto shutdown schedule for a Virtual Machine.", "metadata": { - "category": "Asset Management", + "category": "Compute", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/network-security-group/pol-audit-nsg-on-subnet.json b/policyDefinitions/vnet/pol-audit-nsg-on-subnet.json similarity index 97% rename from policyDefinitions/network-security-group/pol-audit-nsg-on-subnet.json rename to policyDefinitions/vnet/pol-audit-nsg-on-subnet.json index ed9f5f9..3cb9fb9 100644 --- a/policyDefinitions/network-security-group/pol-audit-nsg-on-subnet.json +++ b/policyDefinitions/vnet/pol-audit-nsg-on-subnet.json @@ -4,7 +4,7 @@ "displayName": "Subnets should be associated with a Network Security Group", "description": "Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.", "metadata": { - "category": "Logging and monitoring", + "category": "Virtual Network", "version": "3.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/vnet/pol-deny-gateway-subnet-with-nsg.json b/policyDefinitions/vnet/pol-deny-gateway-subnet-with-nsg.json index b2b9898..74d84ec 100644 --- a/policyDefinitions/vnet/pol-deny-gateway-subnet-with-nsg.json +++ b/policyDefinitions/vnet/pol-deny-gateway-subnet-with-nsg.json @@ -6,7 +6,7 @@ "description": "Gateway Subnets must not have a Network Security Group associated with them. This policy denies the creation of a Gateway Subnet with an NSG.", "metadata": { "version": "1.0.0", - "category": "Network", + "category": "Virtual Network", "preview": false, "deprecated": false }, diff --git a/policyDefinitions/vnet/pol-deny-subnet-without-nsg.json b/policyDefinitions/vnet/pol-deny-subnet-without-nsg.json index d782965..bbe882a 100644 --- a/policyDefinitions/vnet/pol-deny-subnet-without-nsg.json +++ b/policyDefinitions/vnet/pol-deny-subnet-without-nsg.json @@ -6,7 +6,7 @@ "description": "Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.", "metadata": { "version": "1.0.0", - "category": "Network", + "category": "Virtual Network", "preview": false, "deprecated": false }, diff --git a/policyDefinitions/web/pol-deny-app-traffic-via-public-network.json b/policyDefinitions/web/pol-deny-app-traffic-via-public-network.json index 3cbecec..af356e7 100644 --- a/policyDefinitions/web/pol-deny-app-traffic-via-public-network.json +++ b/policyDefinitions/web/pol-deny-app-traffic-via-public-network.json @@ -4,7 +4,7 @@ "displayName": "App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network", "description": "By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app.", "metadata": { - "category": "Network Security", + "category": "App Service", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/web/pol-deny-disallowed-easy-auth-identity-providers.json b/policyDefinitions/web/pol-deny-disallowed-easy-auth-identity-providers.json index 6fb452e..1ece90f 100644 --- a/policyDefinitions/web/pol-deny-disallowed-easy-auth-identity-providers.json +++ b/policyDefinitions/web/pol-deny-disallowed-easy-auth-identity-providers.json @@ -4,7 +4,7 @@ "displayName": "Function apps should only use approved identity providers for authentication", "description": "Only approved Easy Auth identity providers cant be used in Function Apps.", "metadata": { - "category": "Web", + "category": "App Service", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/web/pol-deny-fa-app-config-traffic-via-public-network.json b/policyDefinitions/web/pol-deny-fa-app-config-traffic-via-public-network.json index fc4a050..3ce1284 100644 --- a/policyDefinitions/web/pol-deny-fa-app-config-traffic-via-public-network.json +++ b/policyDefinitions/web/pol-deny-fa-app-config-traffic-via-public-network.json @@ -4,7 +4,7 @@ "displayName": "App Service and Function apps should route configuration traffic over the virtual network", "description": "Configuration routing affects operations that happen before or during startup of your app. Virtual network routing handles how both app and configuration traffic are routed from your virtual network and out.", "metadata": { - "category": "Network Security", + "category": "App Service", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/web/pol-deny-fa-slots-app-traffic-via-public-network.json b/policyDefinitions/web/pol-deny-fa-slots-app-traffic-via-public-network.json index a52bbdc..947c728 100644 --- a/policyDefinitions/web/pol-deny-fa-slots-app-traffic-via-public-network.json +++ b/policyDefinitions/web/pol-deny-fa-slots-app-traffic-via-public-network.json @@ -4,7 +4,7 @@ "displayName": "Function app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network", "description": "Application routing defines what traffic is routed from your app and into the virtual network.", "metadata": { - "category": "Network Security", + "category": "App Service", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/web/pol-deny-fa-slots-config-traffic-via-public-network.json b/policyDefinitions/web/pol-deny-fa-slots-config-traffic-via-public-network.json index cd93b69..9349dda 100644 --- a/policyDefinitions/web/pol-deny-fa-slots-config-traffic-via-public-network.json +++ b/policyDefinitions/web/pol-deny-fa-slots-config-traffic-via-public-network.json @@ -4,7 +4,7 @@ "displayName": "Function app slots should route configuration traffic over the virtual network", "description": "Configuration routing affects operations that happen before or during startup of your app. Virtual network routing handles how both app and configuration traffic are routed from your virtual network and out.", "metadata": { - "category": "Network Security", + "category": "App Service", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyInitiatives/polset-cognitive-service.json b/policyInitiatives/polset-cognitive-service.json new file mode 100644 index 0000000..a4473e2 --- /dev/null +++ b/policyInitiatives/polset-cognitive-service.json @@ -0,0 +1,267 @@ +{ + "name": "polset-cognitive-service", + "properties": { + "displayName": "Azure Cognitive Service Policy Initiative", + "description": "This policy initiative defines the foundation security requirements for Azure Cognitive Service", + "metadata": { + "category": "Cognitive Service", + "version": "1.0.0", + "preview": false, + "deprecated": false + }, + "parameters": { + "COG-001_Effect": { + "type": "String", + "metadata": { + "displayName": "COG-001 Effect: Configure Cognitive Services accounts to disable local authentication methods", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Modify", + "Disabled" + ], + "defaultValue": "Modify" + }, + "COG-002_Effect": { + "type": "String", + "metadata": { + "displayName": "COG-002 Effect: Restrict Cognitive Service Public Network Access", + "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "COG-003_Effect": { + "type": "String", + "metadata": { + "displayName": "COG-003 Effect: Cognitive Services accounts should use a managed identity", + "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "COG-004_Effect": { + "type": "String", + "metadata": { + "displayName": "COG-004 Effect: Cognitive Services accounts should use customer owned storage", + "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "COG-005_Effect": { + "type": "String", + "metadata": { + "displayName": "COG-005 Effect: Cognitive Services Deployments allowed model formats", + "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "COG-005_listOfAllowedFormats": { + "type": "Array", + "defaultValue": [], + "metadata": { + "displayName": "COG-005 Allowed Model Formats", + "description": "List of Model Formats that are allowed to be deployed." + } + }, + "COG-006_Effect": { + "type": "String", + "metadata": { + "displayName": "COG-006 Effect: Cognitive Services Deployments should only use approved Models from OpenAI", + "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "COG-006_listOfAllowedNames": { + "type": "Array", + "defaultValue": [], + "metadata": { + "displayName": "COG-006 Allowed Model Names for OpenAI format", + "description": "List of Model Names that are allowed to be deployed." + } + }, + "COG-007_Effect": { + "type": "String", + "metadata": { + "displayName": "COG-007 Effect: Cognitive Services Deployments should only use approved Models from xAI", + "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "COG-007_listOfAllowedNames": { + "type": "Array", + "defaultValue": [], + "metadata": { + "displayName": "COG-007 Allowed Model Names for xAI format", + "description": "List of Model Names that are allowed to be deployed." + } + } + }, + "policyDefinitionGroups": [ + { + "name": "ISO27001-2013_A.8.2.3", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.8.2.3" + }, + { + "name": "ISO27001-2013_A.9.2.3", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.9.2.3" + }, + { + "name": "ISO27001-2013_A.9.4.1", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.9.4.1" + }, + { + "name": "ISO27001-2013_A.10.1.1", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.10.1.1" + }, + { + "name": "ISO27001-2013_A.13.1.3", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.13.1.3" + }, + { + "name": "ISO27001-2013_A.12.5.1", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.12.5.1" + }, + { + "name": "ISO27001-2013_A.14.2.4", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.14.2.4" + } + ], + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "COG-001", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555", + "definitionVersion": "1.0.*", + "parameters": { + "effect": { + "value": "[parameters('COG-001_Effect')]" + } + }, + "groupNames": [ + "ISO27001-2013_A.9.2.3" + ] + }, + { + "policyDefinitionReferenceId": "COG-002", + "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-restrict-cog-public-network-access", + "parameters": { + "effect": { + "value": "[parameters('COG-002_Effect')]" + } + }, + "groupNames": [ + "ISO27001-2013_A.13.1.3" + ] + }, + { + "policyDefinitionReferenceId": "COG-003", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418", + "definitionVersion": "1.0.*", + "parameters": { + "effect": { + "value": "[parameters('COG-003_Effect')]" + } + }, + "groupNames": [ + "ISO27001-2013_A.9.2.3", + "ISO27001-2013_A.9.4.1" + ] + }, + { + "policyDefinitionReferenceId": "COG-004", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515", + "definitionVersion": "2.0.*", + "parameters": { + "effect": { + "value": "[parameters('COG-004_Effect')]" + } + }, + "groupNames": [ + "ISO27001-2013_A.8.2.3" + ] + }, + { + "policyDefinitionReferenceId": "COG-005", + "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-restrict-cog-model-formats", + "parameters": { + "effect": { + "value": "[parameters('COG-005_Effect')]" + }, + "listOfAllowedFormats": { + "value": "[parameters('COG-005_listOfAllowedFormats')]" + } + }, + "groupNames": [ + "ISO27001-2013_A.12.5.1", + "ISO27001-2013_A.14.2.4" + ] + }, + { + "policyDefinitionReferenceId": "COG-006", + "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-restrict-cog-model-names", + "parameters": { + "effect": { + "value": "[parameters('COG-006_Effect')]" + }, + "modelFormat": { + "value": "OpenAI" + }, + "listOfAllowedNames": { + "value": "[parameters('COG-006_listOfAllowedNames')]" + } + }, + "groupNames": [ + "ISO27001-2013_A.12.5.1", + "ISO27001-2013_A.14.2.4" + ] + }, + { + "policyDefinitionReferenceId": "COG-007", + "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-restrict-cog-model-names", + "parameters": { + "effect": { + "value": "[parameters('COG-007_Effect')]" + }, + "modelFormat": { + "value": "xAI" + }, + "listOfAllowedNames": { + "value": "[parameters('COG-007_listOfAllowedNames')]" + } + }, + "groupNames": [ + "ISO27001-2013_A.12.5.1", + "ISO27001-2013_A.14.2.4" + ] + } + ] + } +} diff --git a/policyInitiatives/polset-cosmos-db.json b/policyInitiatives/polset-cosmos-db.json index 185d5ed..7ff0d02 100644 --- a/policyInitiatives/polset-cosmos-db.json +++ b/policyInitiatives/polset-cosmos-db.json @@ -13,15 +13,14 @@ "COSMOS-001_Effect": { "type": "String", "metadata": { - "displayName": "COSMOS-001 Effect: Restrict Cosmos DB Local Authentication", - "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy." + "displayName": "COSMOS-001 Effect: Disable Cosmos DB Local Authentication", + "description": "Enable or disable the execution of the policy." }, "allowedValues": [ - "Audit", - "Deny", + "Modify", "Disabled" ], - "defaultValue": "Deny" + "defaultValue": "Modify" }, "COSMOS-002_Effect": { "type": "String", @@ -77,47 +76,99 @@ "Disabled" ], "defaultValue": "Deny" + }, + "COSMOS-006_Effect": { + "type": "String", + "metadata": { + "displayName": "COSMOS-006 Effect: Restrict Cosmos DB Minimum TLS Version", + "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "COSMOS-006_minimalTlsVersion": { + "type": "String", + "metadata": { + "displayName": "COSMOS-006: Minimum TLS Version", + "description": "Minimum version of TLS required for Cosmos DB" + }, + "allowedValues": [ + "Tls10", + "Tls11", + "Tls12" + ], + "defaultValue": "Tls12" + }, + "COSMOS-007_Effect": { + "type": "String", + "metadata": { + "displayName": "COSMOS-007 Effect: Restrict Cosmos DB Locations", + "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "COSMOS-007_listOfAllowedLocations": { + "type": "Array", + "metadata": { + "displayName": "COSMOS-007: Allowed locations", + "description": "The list of locations that can be specified when deploying Azure Cosmos DB resources.", + "strongType": "location" + }, + "defaultValue": [ + "australiaeast", + "australiasoutheast" + ] } }, "policyDefinitionGroups": [ { - "name": "ISO27001-2013_A.12.3.1", - "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.12.3.1" + "name": "ISO27001-2013_A.9.2.3", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.9.2.3" }, { - "name": "ISO27001-2013_A.13.1.3", - "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.13.1.3" + "name": "ISO27001-2013_A.10.1.1", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.10.1.1" }, { - "name": "ISO27001-2013_A.17.1.1", - "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.17.1.1" + "name": "ISO27001-2013_A.13.1.3", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.13.1.3" }, { - "name": "ISO27001-2013_A.17.1.2", - "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.17.1.2" + "name": "ISO27001-2013_A.15.1.2", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.15.1.2" }, { - "name": "CB-AZ-011" + "name": "ISO27001-2013_A.18.1.1", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.18.1.1" } ], "policyDefinitions": [ { "policyDefinitionReferenceId": "COSMOS-001", - "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-audit-deny-cdb-local-auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049", + "definitionVersion": "1.2.*", "parameters": { "effect": { "value": "[parameters('COSMOS-001_Effect')]" } }, "groupNames": [ - "ISO27001-2013_A.12.3.1", - "ISO27001-2013_A.17.1.1", - "ISO27001-2013_A.17.1.2" + "ISO27001-2013_A.9.2.3" ] }, { "policyDefinitionReferenceId": "COSMOS-002", - "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-audit-deny-cdb-firewall-rule-exists", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb", + "definitionVersion": "2.1.*", "parameters": { "effect": { "value": "[parameters('COSMOS-002_Effect')]" @@ -129,27 +180,28 @@ }, { "policyDefinitionReferenceId": "COSMOS-003", - "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-audit-deny-cdb-disable-public-network-access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a", + "definitionVersion": "1.0.*", "parameters": { "effect": { "value": "[parameters('COSMOS-003_Effect')]" } }, "groupNames": [ - "ISO27001-2013_A.13.1.3", - "CB-AZ-011" + "ISO27001-2013_A.13.1.3" ] }, { "policyDefinitionReferenceId": "COSMOS-004", - "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-audit-deny-cdb-encrypt-with-cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f", + "definitionVersion": "1.1.*", "parameters": { "effect": { "value": "[parameters('COSMOS-004_Effect')]" } }, "groupNames": [ - "ISO27001-2013_A.12.3.1" + "ISO27001-2013_A.10.1.1" ] }, { @@ -161,9 +213,38 @@ } }, "groupNames": [ - "ISO27001-2013_A.12.3.1", - "ISO27001-2013_A.17.1.1", - "ISO27001-2013_A.17.1.2" + "ISO27001-2013_A.9.2.3" + ] + }, + { + "policyDefinitionReferenceId": "COSMOS-006", + "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-audit-deny-cdb-minimum-tls-version", + "parameters": { + "effect": { + "value": "[parameters('COSMOS-006_Effect')]" + }, + "minimalTlsVersion": { + "value": "[parameters('COSMOS-006_minimalTlsVersion')]" + } + }, + "groupNames": [ + "ISO27001-2013_A.10.1.1" + ] + }, + { + "policyDefinitionReferenceId": "COSMOS-007", + "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-audit-deny-cdb-allowed-locations", + "parameters": { + "effect": { + "value": "[parameters('COSMOS-007_Effect')]" + }, + "listOfAllowedLocations": { + "value": "[parameters('COSMOS-007_listOfAllowedLocations')]" + } + }, + "groupNames": [ + "ISO27001-2013_A.18.1.1", + "ISO27001-2013_A.15.1.2" ] } ] diff --git a/policyInitiatives/polset-diag-settings.json b/policyInitiatives/polset-diag-settings.json index 7109179..fa8d69a 100644 --- a/policyInitiatives/polset-diag-settings.json +++ b/policyInitiatives/polset-diag-settings.json @@ -16,7 +16,7 @@ "displayName": "Profile name", "description": "The diagnostic settings profile name." }, - "defaultValue": "setByPolicyLAW" + "defaultValue": "setByPolicy" }, "evaluationDelay": { "type": "string", @@ -130,6 +130,17 @@ ], "defaultValue": "DeployIfNotExists" }, + "DS-008_LogsToEnable": { + "type": "array", + "metadata": { + "displayName": "DS-008 Logs to enable", + "description": "Diagnostic logs to be enabled." + }, + "defaultValue": [ + "AppSystemEvents", + "OTelResources" + ] + }, "DS-009_Effect": { "type": "string", "metadata": { @@ -777,6 +788,18 @@ "Disabled" ], "defaultValue": "DeployIfNotExists" + }, + "DS-063_Effect": { + "type": "string", + "metadata": { + "displayName": "DS-063 Effect: Configure Diagnostic Setting for Azure Cognitive Services Projects", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" } }, "policyDefinitionGroups": [ @@ -981,8 +1004,8 @@ "effect": { "value": "[parameters('DS-008_Effect')]" }, - "logAnalytics": { - "value": "[parameters('logAnalytics')]" + "logsToEnable": { + "value": "[parameters('DS-008_LogsToEnable')]" } }, "groupNames": [ @@ -2287,6 +2310,30 @@ "AU_ISM_580", "CB-AZ-021" ] + }, + { + "policyDefinitionReferenceId": "DS-063", + "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-deploy-diag-cognitiveProjects", + "parameters": { + "profileName": { + "value": "[parameters('profileName')]" + }, + "evaluationDelay": { + "value": "[parameters('evaluationDelay')]" + }, + "effect": { + "value": "[parameters('DS-063_Effect')]" + }, + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + } + }, + "groupNames": [ + "ISO27001-2013_A.12.4.1", + "ISO27001-2022_A.8.15", + "AU_ISM_580", + "CB-AZ-021" + ] } ] } diff --git a/policyInitiatives/polset-monitor.json b/policyInitiatives/polset-monitor.json index bb0d0bf..34e1ef3 100644 --- a/policyInitiatives/polset-monitor.json +++ b/policyInitiatives/polset-monitor.json @@ -1,7 +1,7 @@ { "name": "polset-monitor", "properties": { - "displayName": "CONTOSO - Azure Monitor Policy Initiative", + "displayName": "Azure Monitor Policy Initiative", "description": "This initiative includes policies that address the security controls for Azure Monitor.", "metadata": { "category": "Azure Monitor", diff --git a/policyInitiatives/polset-pedns.json b/policyInitiatives/polset-pedns.json index dc945de..ace7d2d 100755 --- a/policyInitiatives/polset-pedns.json +++ b/policyInitiatives/polset-pedns.json @@ -179,7 +179,7 @@ "defaultValue": "DeployIfNotExists" }, "PEDNS-015_Effect": { - "type": "String", + "type": "string", "metadata": { "displayName": "PEDNS-015 Effect: App Services slots", "description": "Enable or disable the execution of the policy" @@ -190,6 +190,30 @@ ], "defaultValue": "DeployIfNotExists" }, + "PEDNS-016_Effect": { + "type": "string", + "metadata": { + "displayName": "PEDNS-016 Effect: Cognitive Service Accounts", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "PEDNS-017_Effect": { + "type": "string", + "metadata": { + "displayName": "PEDNS-017 Effect: Cosmos DB SQL", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, "evaluationDelay": { "type": "string", "metadata": { @@ -581,6 +605,60 @@ "groupNames": [ "ISO27001-2013_A.13.1.3" ] + }, + { + "policyDefinitionReferenceId": "PEDNS-016", + "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-deploy-pe-dns-records-multiple-dns-zones-single-location", + "parameters": { + "effect": { + "value": "[parameters('PEDNS-016_Effect')]" + }, + "evaluationDelay": { + "value": "[parameters('evaluationDelay')]" + }, + "groupId": { + "value": "account" + }, + "resourceLocation": { + "value": "australiaeast" + }, + "privateDnsZoneIds": { + "value": "[concat(array(concat(parameters('privateDnsZoneResourceGroup'), '/providers/Microsoft.Network/privateDnsZones/', 'privatelink.cognitiveservices.azure.com')), array(concat(parameters('privateDnsZoneResourceGroup'), '/providers/Microsoft.Network/privateDnsZones/', 'privatelink.openai.azure.com')), array(concat(parameters('privateDnsZoneResourceGroup'), '/providers/Microsoft.Network/privateDnsZones/', 'privatelink.services.ai.azure.com')))]" + }, + "privateLinkServiceResourceType": { + "value": "Microsoft.CognitiveServices/accounts" + } + }, + "groupNames": [ + "ISO27001-2013_A.13.1.3" + ] + }, + { + "policyDefinitionReferenceId": "PEDNS-017", + "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-deploy-pe-dns-records-single-dns-zone-single-location", + "parameters": { + "effect": { + "value": "[parameters('PEDNS-017_Effect')]" + }, + "evaluationDelay": { + "value": "[parameters('evaluationDelay')]" + }, + "groupId": { + "value": "Sql" + }, + "resourceLocation": { + "value": "australiaeast" + }, + "privateDnsZoneId": { + "value": "[concat(parameters('privateDnsZoneResourceGroup'), '/providers/Microsoft.Network/privateDnsZones/', 'privatelink.documents.azure.com')]" + }, + "privateLinkServiceResourceType": { + "value": "Microsoft.DocumentDB/databaseAccounts" + } + }, + "groupNames": [ + "ISO27001-2013_A.13.1.3" + ] } ] } diff --git a/tests/policy-integration-tests/.shared/policy_integration_test_config.jsonc b/tests/policy-integration-tests/.shared/policy_integration_test_config.jsonc index aff7750..bc9e328 100644 --- a/tests/policy-integration-tests/.shared/policy_integration_test_config.jsonc +++ b/tests/policy-integration-tests/.shared/policy_integration_test_config.jsonc @@ -40,7 +40,7 @@ "privateEndpointAPIVersion": "2025-05-01", //API version for private endpoints "vnetFlowLogApiVersion": "2024-07-01", //API version for VNet flow logs "appServicesAPIVersion": "2025-03-01", //API version for App Services - "diagnosticSettingsIdSuffix": "/providers/microsoft.insights/diagnosticSettings/setByPolicyLAW", //suffix for the resource ID of the diagnostic settings created by the policy. This is used for testing of the diagnostic settings DINE policies + "diagnosticSettingsIdSuffix": "/providers/microsoft.insights/diagnosticSettings/setByPolicy", //suffix for the resource ID of the diagnostic settings created by the policy. This is used for testing of the diagnostic settings DINE policies "privateEndpointPrivateDNSZoneGroupIdSuffix": "/privateDnsZoneGroups/deployedByPolicy", //suffix for the resource ID of the private DNS zone group created by the policy for private endpoints. This is used for testing of the private endpoint DINE policies //Subscriptions and details about the each subscription used in the tests. This is needed to provide the necessary information for the tests to create and manage resources in the correct subscriptions and resource groups. "subscriptions": { diff --git a/tests/policy-integration-tests/.test-template/config.json b/tests/policy-integration-tests/.test-template/config.json index 8f4888b..6ac3b5d 100644 --- a/tests/policy-integration-tests/.test-template/config.json +++ b/tests/policy-integration-tests/.test-template/config.json @@ -5,12 +5,7 @@ "assignmentName": "", "testSubscription": "", "testResourceGroup": "", - "testManagementGroup": "", "location": "", "tagsForResourceGroup": false, - "testAuditPoliciesFromDeployedResources": false, - "testAppendModifyPolicies": false, - "testDeployIfNotExistsPolicies": false, - "testDenyPolicies": true, "removeTestResourceGroup": true } diff --git a/tests/policy-integration-tests/.test-template/main.good.bicep b/tests/policy-integration-tests/.test-template/main.good.bicep index 4975278..84e6185 100644 --- a/tests/policy-integration-tests/.test-template/main.good.bicep +++ b/tests/policy-integration-tests/.test-template/main.good.bicep @@ -13,4 +13,4 @@ var location = localConfig.location var namePrefix = globalConfig.namePrefix // define template specific variables -var serviceShort = 'xxx3' +var serviceShort = 'xxx2' diff --git a/tests/policy-integration-tests/cognitive-service/README.md b/tests/policy-integration-tests/cognitive-service/README.md new file mode 100644 index 0000000..ffc98f0 --- /dev/null +++ b/tests/policy-integration-tests/cognitive-service/README.md @@ -0,0 +1,27 @@ +# Policy Integration Test - Policy Integration Test Cases for Cognitive Service + +## Introduction + +This folder contains a sample test case for Cognitive Service related policies. + +The test case is designed to test the following policy assignments: + +| Policy Assignment Name | Policy Assignment Scope | Description | +| :--------------------- | :--------------------- | :---------- | +| `pa-d-cog-service` | `/providers/Microsoft.Management/managementGroups/CONTOSO-DEV` | Policy Assignment for the Azure Cognitive Service initiative | +| `pa-d-pedns` | `/providers/Microsoft.Management/managementGroups/CONTOSO-DEV` | Policy Assignment for Azure Private Endpoint DNS Records Policy Initiative (deploy DNS records for Private Endpoints) | +| `pa-d-diag-settings` | `/providers/Microsoft.Management/managementGroups/CONTOSO-DEV` | Policy Assignment for Azure Diagnostic Settings Policy Initiative (deploy diagnostic settings for all applicable Azure resources) | + +The following policies are in scope for testing: + +| Policy Assignment | Policy Reference ID | Policy Name | Policy Effect | +| :---------------- | :---------------- | :------------ | :------------ | +| `pa-d-cog-service` | `COG-001` | Cognitive Service accounts should have local authentication disabled | Deny | +| `pa-d-cog-service` | `COG-002` | Cognitive Services accounts should restrict public network access | Deny | +| `pa-d-cog-service` | `COG-003` | Cognitive Services accounts should use a managed identity | Deny | +| `pa-d-cog-service` | `COG-004` | Cognitive Services accounts should use customer owned storage | Audit | +| `pa-d-cog-service` | `COG-005` | Cognitive Services Deployments allowed model formats | Deny | +| `pa-d-cog-service` | `COG-006` | Cognitive Services Deployments should only use approved Models from OpenAI | Deny | +| `pa-d-cog-service` | `COG-007` | Cognitive Services Deployments should only use approved Models from xAI | Deny | +| `pa-d-diag-settings` | `DS-013` | Configure Diagnostic Setting for Azure Cognitive Services | DeployIfNotExists | +| `pa-d-pedns` | `PEDNS-016` | Private DNS Record for Azure Cognitive Services PE must exist | DeployIfNotExists | diff --git a/tests/policy-integration-tests/cognitive-service/config.json b/tests/policy-integration-tests/cognitive-service/config.json new file mode 100644 index 0000000..e8eefda --- /dev/null +++ b/tests/policy-integration-tests/cognitive-service/config.json @@ -0,0 +1,16 @@ +{ + "policyAssignmentIds": [ + "/providers/Microsoft.Management/managementGroups/CONTOSO-DEV/providers/Microsoft.Authorization/policyAssignments/pa-d-pedns", + "/providers/Microsoft.Management/managementGroups/CONTOSO-DEV/providers/Microsoft.Authorization/policyAssignments/pa-d-cog-service", + "/providers/Microsoft.Management/managementGroups/CONTOSO-DEV/providers/Microsoft.Authorization/policyAssignments/pa-d-diag-settings" + ], + "testName": "CognitiveService", + "cogServiceAssignmentName": "pa-d-cog-service", + "diagSettingsAssignmentName": "pa-d-diag-settings", + "peDNSAssignmentName": "pa-d-pedns", + "testSubscription": "sub-d-lz-corp-01", + "testResourceGroup": "rg-ae-d-policy-test-cog-service-001", + "location": "australiaeast", + "tagsForResourceGroup": false, + "removeTestResourceGroup": true +} diff --git a/tests/policy-integration-tests/cognitive-service/main.bad.bicep b/tests/policy-integration-tests/cognitive-service/main.bad.bicep new file mode 100644 index 0000000..2681d5f --- /dev/null +++ b/tests/policy-integration-tests/cognitive-service/main.bad.bicep @@ -0,0 +1,75 @@ +metadata itemDisplayName = 'Test Template for Cognitive Services' +metadata description = 'This template deploys the testing resource for Cognitive Services.' +metadata summary = 'Deploys test Cognitive Services resources that should violate some policy assignments.' + +// ============ // +// variables // +// ============ // +// Load the configuration file +var globalConfig = loadJsonContent('../.shared/policy_integration_test_config.jsonc') +var localConfig = loadJsonContent('config.json') + +var location = localConfig.location +var namePrefix = globalConfig.namePrefix + +// define template specific variables +var serviceShort = 'cog3' + +resource cognitiveService 'Microsoft.CognitiveServices/accounts@2025-12-01' = { + name: '${namePrefix}${serviceShort}01' + location: location + kind: 'AIServices' + sku: { + name: 'S0' + } + //identity: {} //no identity defined, this should violate the policy COG-003 + properties: { + networkAcls: { + defaultAction: 'Allow' + } + publicNetworkAccess: 'Enabled' //this should violate the policy COG-002 + allowProjectManagement: true + customSubDomainName: '${namePrefix}${serviceShort}01' + } +} + +resource gpt51 'Microsoft.CognitiveServices/accounts/deployments@2025-12-01' = { + name: 'gpt51' + parent: cognitiveService + sku: { + name: 'GlobalStandard' + capacity: 1 + } + properties: { + model: { + name: 'gpt-5.1' //this should violate the policy COG-006 since gpt-5.1 is not in the allowed list of models defined in the policy + format: 'OpenAI' + } + } +} + +resource grok3 'Microsoft.CognitiveServices/accounts/deployments@2025-12-01' = { + name: 'grok3' + parent: cognitiveService + sku: { + name: 'GlobalStandard' + capacity: 1 + } + properties: { + model: { + name: 'grok-3' //this should violate the policy COG-007 since grok-3 is not in the allowed list of models defined in the policy + format: 'xAI' + version: '1' + } + } +} +resource deepseekr1 'Microsoft.CognitiveServices/accounts/deployments@2025-12-01' = { + name: 'deepseekr1' + parent: cognitiveService + properties: { + model: { + name: 'DeepSeek-R1' + format: 'DeepSeek' //this should violate the policy COG-005 since DeepSeek is not in the allowed list of formats defined in the policy + } + } +} diff --git a/tests/policy-integration-tests/cognitive-service/main.good.bicep b/tests/policy-integration-tests/cognitive-service/main.good.bicep new file mode 100644 index 0000000..d01db86 --- /dev/null +++ b/tests/policy-integration-tests/cognitive-service/main.good.bicep @@ -0,0 +1,91 @@ +metadata itemDisplayName = 'Test Template for Cognitive Services' +metadata description = 'This template deploys the testing resource for Cognitive Services.' +metadata summary = 'Deploys test Cognitive Services resources that should comply with all policy assignments.' + +// ============ // +// variables // +// ============ // +// Load the configuration file +var globalConfig = loadJsonContent('../.shared/policy_integration_test_config.jsonc') +var localConfig = loadJsonContent('config.json') + +var location = localConfig.location +var namePrefix = globalConfig.namePrefix + +// define template specific variables +var serviceShort = 'cog2' + +resource cognitiveService 'Microsoft.CognitiveServices/accounts@2025-12-01' = { + name: '${namePrefix}${serviceShort}01' + location: location + kind: 'AIServices' + sku: { + name: 'S0' + } + identity: { + type: 'SystemAssigned' + } //identity defined, this should comply with the policy COG-003 + properties: { + networkAcls: { + defaultAction: 'Deny' + } + publicNetworkAccess: 'Disabled' //this should comply with the policy COG-002 + allowProjectManagement: true + customSubDomainName: '${namePrefix}${serviceShort}01' + userOwnedStorage: [ + { + resourceId: storage.id + } + ] //user owned storage defined, this should comply with the policy COG-004 + } +} +resource gpt41 'Microsoft.CognitiveServices/accounts/deployments@2025-12-01' = { + name: 'gpt41' + parent: cognitiveService + sku: { + name: 'GlobalStandard' + capacity: 150 + } + properties: { + model: { + name: 'gpt-4.1' + format: 'OpenAI' + } + } +} + +resource grok 'Microsoft.CognitiveServices/accounts/deployments@2025-12-01' = { + name: 'grok-4-1-fast-reasoning' + parent: cognitiveService + sku: { + name: 'GlobalStandard' + capacity: 4 + } + properties: { + model: { + name: 'grok-4-1-fast-reasoning' + format: 'xAI' + version: '1' + } + } +} + +resource storage 'Microsoft.Storage/storageAccounts@2025-08-01' = { + name: 'sa${namePrefix}${serviceShort}' + location: location + sku: { + name: 'Standard_LRS' + } + kind: 'StorageV2' + properties: { + networkAcls: { + defaultAction: 'Deny' + } + publicNetworkAccess: 'Disabled' + allowCrossTenantReplication: false + allowedCopyScope: 'AAD' + allowSharedKeyAccess: false + minimumTlsVersion: 'TLS1_2' + supportsHttpsTrafficOnly: true + } +} diff --git a/tests/policy-integration-tests/cognitive-service/main.test.bicep b/tests/policy-integration-tests/cognitive-service/main.test.bicep new file mode 100644 index 0000000..3bb0306 --- /dev/null +++ b/tests/policy-integration-tests/cognitive-service/main.test.bicep @@ -0,0 +1,89 @@ +metadata itemDisplayName = 'Test Template for Cognitive Services' +metadata description = 'This template deploys the testing resource for Cognitive Services.' +metadata summary = 'Deploys test Cognitive Services resources.' + +// ========== // +// Parameters // +// ========== // +@description('Optional. Get current time stamp. This is used to generate unique name for Cognitive Service account. DO NOT provide a value.') +param now string = utcNow() + +// ============ // +// variables // +// ============ // +// Load the configuration file +var globalConfig = loadJsonContent('../.shared/policy_integration_test_config.jsonc') +var localConfig = loadJsonContent('config.json') +//Define required variables from the configuration files - change these based on your requirements +var tags = globalConfig.tags +var location = localConfig.location +var namePrefix = globalConfig.namePrefix +var subName = localConfig.testSubscription +var vnetResourceGroup = globalConfig.subscriptions[subName].networkResourceGroup +var vnetName = globalConfig.subscriptions[subName].vNet +var peSubnetName = globalConfig.subscriptions[subName].peSubnet +var cognitiveServiceAccountNameSuffix = substring((uniqueString(now, location)), 0, 5) +var serviceShort = 'cog1' //use this to form the name of the resources deployed by this template. This is helpful to identify the resource in the portal and also useful if you want to have a policy that targets specific resources by name. For example, if you have a policy that audits whether storage accounts have secure transfer enabled, you can set serviceShort to 'st' and then in the policy definition, you can target resources with name starting with 'st' to only audit the storage accounts deployed by this test template. + +// ============ // +// resources // +// ============ // +resource vnet 'Microsoft.Network/virtualNetworks@2025-05-01' existing = { + name: vnetName + scope: az.resourceGroup(vnetResourceGroup) + + resource peSubnet 'subnets' existing = { name: peSubnetName } +} + +resource cognitiveService 'Microsoft.CognitiveServices/accounts@2026-03-01' = { + name: '${namePrefix}${serviceShort}${cognitiveServiceAccountNameSuffix}01' + location: location + tags: tags + kind: 'AIServices' + sku: { + name: 'S0' + } + identity: { + type: 'SystemAssigned' + } + properties: { + networkAcls: { + defaultAction: 'Deny' + } + publicNetworkAccess: 'Disabled' + allowProjectManagement: true + customSubDomainName: '${namePrefix}${serviceShort}${cognitiveServiceAccountNameSuffix}01' + //userOwnedStorage: [] //This should violate the audit policy COG-004 since no user owned storage defined + } +} + +resource pe 'Microsoft.Network/privateEndpoints@2025-05-01' = { + name: 'pe-${namePrefix}${serviceShort}${cognitiveServiceAccountNameSuffix}-cognitive' + location: location + tags: tags + properties: { + subnet: { + id: vnet::peSubnet.id + } + privateLinkServiceConnections: [ + { + name: 'pe-${namePrefix}${serviceShort}${cognitiveServiceAccountNameSuffix}-cognitive' + properties: { + privateLinkServiceId: cognitiveService.id + groupIds: [ + 'account' + ] + } + } + ] + } +} + +// ============ // +// outputs // +// ============ // +//Specify the outputs that are required for the test +output name string = cognitiveService.name +output resourceId string = cognitiveService.id +output privateEndpointResourceId string = pe.id +output location string = cognitiveService.location diff --git a/tests/policy-integration-tests/cognitive-service/tests.ps1 b/tests/policy-integration-tests/cognitive-service/tests.ps1 new file mode 100644 index 0000000..3c98634 --- /dev/null +++ b/tests/policy-integration-tests/cognitive-service/tests.ps1 @@ -0,0 +1,88 @@ +#region generic sections for all tests +#Requires -Modules Az.Accounts, Az.PolicyInsights, Az.Resources +#Requires -Version 7.0 + +using module AzResourceTest + +$helperFunctionScriptPath = (resolve-path -relativeBasePath $PSScriptRoot -path '../../../scripts/pipelines/helper/helper-functions.ps1').Path + +#load helper +. $helperFunctionScriptPath + +#Run initiate-test script to set environment variables for test configuration and deployment +$globalConfigFilePath = (resolve-path -RelativeBasePath $PSScriptRoot -path '../.shared/policy_integration_test_config.jsonc').Path +$TestDirectory = $PSScriptRoot +Write-Output "Initiating test with global config file: $globalConfigFilePath and test directory: $TestDirectory" +$initiateTestScriptPath = (resolve-path -RelativeBasePath $PSScriptRoot -path '../.shared/initiate-test.ps1').Path +. $initiateTestScriptPath -globalConfigFilePath $globalConfigFilePath -TestDirectory $TestDirectory + +# Refer to the ../../docs/policy-integration-test-get-started.md for details on the expected variables to be set by the initiate-test script and the structure of those variables. +#endregion + +#region defining tests +<# +The following policy definitions are tested:. + - refer to the README.md in this directory for the list of policies being tested in this test suite and the expected compliance status of each policy. +#> +$resourceId = $script:bicepDeploymentOutputs.resourceId.value +$diagSettingsPolicyAssignmentId = $script:LocalConfig_policyAssignmentIds | Where-Object { $_ -imatch "$script:LocalConfig_diagSettingsAssignmentName`$" } +$peDNSPolicyAssignmentId = $script:LocalConfig_policyAssignmentIds | Where-Object { $_ -imatch "$script:LocalConfig_peDNSAssignmentName`$" } +$diagnosticSettingsId = "{0}{1}" -f $resourceId, $script:GlobalConfig_diagnosticSettingsIdSuffix +$cogServicePolicyAssignmentId = $script:LocalConfig_policyAssignmentIds | Where-Object { $_ -imatch "$script:LocalConfig_cogServiceAssignmentName`$" } +$privateEndpointResourceId = $script:bicepDeploymentOutputs.privateEndpointResourceId.value +$privateEndpointPrivateDNSZoneGroupId = '{0}{1}' -f $privateEndpointResourceId, $script:GlobalConfig_privateEndpointPrivateDNSZoneGroupIdSuffix +$violatingPolicies = @( + @{ + policyAssignmentId = $cogServicePolicyAssignmentId + policyDefinitionReferenceId = 'COG-002' + } + @{ + policyAssignmentId = $cogServicePolicyAssignmentId + policyDefinitionReferenceId = 'COG-003' + } + @{ + policyAssignmentId = $cogServicePolicyAssignmentId + policyDefinitionReferenceId = 'COG-005' + } + @{ + policyAssignmentId = $cogServicePolicyAssignmentId + policyDefinitionReferenceId = 'COG-006' + } + @{ + policyAssignmentId = $cogServicePolicyAssignmentId + policyDefinitionReferenceId = 'COG-007' + } +) +#define tests +$tests = @() + +#Modify / Append Policies +$tests += New-ARTPropertyValueTestConfig 'COG-001: Local authentication should be disabled' $script:token $resourceId 'boolean' 'properties.disableLocalAuth' 'equals' $true + +# Audit Policies +$tests += New-ARTPolicyStateTestConfig 'COG-004: Azure Cognitive Services accounts should use customer-owned storage' $script:token $resourceId $cogServicePolicyAssignmentId 'NonCompliant' 'COG-004' + +#DeployIfNotExists Policies +$tests += New-ARTResourceExistenceTestConfig 'DS-013: Deploy Diagnostic Settings for Cognitive Service to Log Analytics workspace.' $script:token $diagnosticSettingsId 'exists' $script:GlobalConfig_diagnosticSettingsAPIVersion +$tests += New-ARTPolicyStateTestConfig 'DS-013: Diagnostic Settings Policy Must Be Compliant' $script:token $resourceId $diagSettingsPolicyAssignmentId 'Compliant' 'DS-013' +$tests += New-ARTResourceExistenceTestConfig 'PEDNS-016: Private DNS Record for Azure Cognitive Service PE must exist' $script:token $privateEndpointPrivateDNSZoneGroupId 'exists' $script:GlobalConfig_privateDNSZoneGroupAPIVersion +$tests += New-ARTPolicyStateTestConfig 'PEDNS-016: Private DNS Record Policy Must Be Compliant' $script:token $privateEndpointResourceId $peDNSPolicyAssignmentId 'Compliant' 'PEDNS-016' + +#Deny policies (testing both positive and negative scenarios) +$tests += New-ARTWhatIfDeploymentTestConfig 'Policy abiding deployment should succeed' $script:token $script:whatIfComplyBicepTemplatePath $script:bicepDeploymentResult.bicepDeploymentTarget 'Succeeded' -maxRetry $script:GlobalConfig_whatIfMaxRetry +$tests += New-ARTWhatIfDeploymentTestConfig 'Policy violating deployment should fail' $script:token $script:whatIfViolateBicepTemplatePath $script:bicepDeploymentResult.bicepDeploymentTarget 'Failed' $violatingPolicies -maxRetry $script:GlobalConfig_whatIfMaxRetry +# +#endregion + +#region Invoke tests - do not modify +$params = @{ + tests = $tests + testTitle = $script:testTitle + contextTitle = $script:contextTitle + testSuiteName = $script:testSuiteName + OutputFile = $script:outputFilePath + OutputFormat = $script:GlobalConfig_testOutputFormat +} +Test-ARTResourceConfiguration @params + +#endregion diff --git a/tests/policy-integration-tests/cosmos-db/README.md b/tests/policy-integration-tests/cosmos-db/README.md new file mode 100644 index 0000000..0de3cfd --- /dev/null +++ b/tests/policy-integration-tests/cosmos-db/README.md @@ -0,0 +1,28 @@ +# Policy Integration Test - Policy Integration Test Cases for xxx + +## Introduction + +This folder contains a sample test case for Azure Cosmos DB related policies. + +The test case is designed to test the following policy assignments: + +| Policy Assignment Name | Policy Assignment Scope | Description | +| :--------------------- | :--------------------- | :---------- | +| `pa-d-cosmos` | `/providers/Microsoft.Management/managementGroups/CONTOSO-DEV` | Policy Assignment for the Azure Cosmos DB initiative | +| `pa-d-pedns` | `/providers/Microsoft.Management/managementGroups/CONTOSO-DEV` | Policy Assignment for Azure Private Endpoint DNS Records Policy Initiative (deploy DNS records for Private Endpoints) | +| `pa-d-diag-settings` | `/providers/Microsoft.Management/managementGroups/CONTOSO-DEV` | Policy Assignment for Azure Diagnostic Settings Policy Initiative (deploy diagnostic settings for all applicable Azure resources) | + + +The following policies are in scope for testing: + +| Policy Assignment | Policy Reference ID | Policy Name | Policy Effect | +| :---------------- | :---------------- | :------------ | :------------ | +| `pa-d-cosmos` | `COSMOS-001` | Azure Cosmos DB accounts should have local authentication disabled | Modify | +| `pa-d-cosmos` | `COSMOS-002` | Azure Cosmos DB accounts should have firewall rules | Deny | +| `pa-d-cosmos` | `COSMOS-003` | Azure Cosmos DB should disable public network access | Deny | +| `pa-d-cosmos` | `COSMOS-004` | Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest | Audit | +| `pa-d-cosmos` | `COSMOS-005` | Azure Cosmos DB key based metadata write access should be disabled | Deny | +| `pa-d-cosmos` | `COSMOS-006` | Azure Cosmos DB accounts should have a minimum TLS version | Deny | +| `pa-d-cosmos` | `COSMOS-007` | Azure Cosmos DB allowed locations | Deny | +| `pa-d-diag-settings` | `DS-014` | Configure Diagnostic Setting for Azure Cosmos DB | DeployIfNotExists | +| `pa-d-pedns` | `PEDNS-017` | Private DNS Record for Azure Cosmos DB SQL PE must exist | DeployIfNotExists | diff --git a/tests/policy-integration-tests/cosmos-db/config.json b/tests/policy-integration-tests/cosmos-db/config.json new file mode 100644 index 0000000..e2733c2 --- /dev/null +++ b/tests/policy-integration-tests/cosmos-db/config.json @@ -0,0 +1,17 @@ +{ + "policyAssignmentIds": [ + "/providers/Microsoft.Management/managementGroups/CONTOSO-DEV/providers/Microsoft.Authorization/policyAssignments/pa-d-pedns", + "/providers/Microsoft.Management/managementGroups/CONTOSO-DEV/providers/Microsoft.Authorization/policyAssignments/pa-d-cosmos", + "/providers/Microsoft.Management/managementGroups/CONTOSO-DEV/providers/Microsoft.Authorization/policyAssignments/pa-d-diag-settings" + ], + "testName": "CosmosDB", + "cosmosAssignmentName": "pa-d-cosmos", + "diagSettingsAssignmentName": "pa-d-diag-settings", + "peDNSAssignmentName": "pa-d-pedns", + "testSubscription": "sub-d-lz-corp-01", + "testResourceGroup": "rg-ae-d-policy-test-cosmos-001", + "location": "australiaeast", + "disallowedLocation": "eastus", + "tagsForResourceGroup": false, + "removeTestResourceGroup": true +} diff --git a/tests/policy-integration-tests/cosmos-db/main.bad.bicep b/tests/policy-integration-tests/cosmos-db/main.bad.bicep new file mode 100644 index 0000000..dad80d9 --- /dev/null +++ b/tests/policy-integration-tests/cosmos-db/main.bad.bicep @@ -0,0 +1,43 @@ +metadata itemDisplayName = 'Test Template for Cosmos DB' +metadata description = 'This template deploys the testing resource for Cosmos DB.' +metadata summary = 'Deploys test Cosmos DB resources that should violate some policy assignments.' + +// ============ // +// variables // +// ============ // +// Load the configuration file +var globalConfig = loadJsonContent('../.shared/policy_integration_test_config.jsonc') +var localConfig = loadJsonContent('config.json') + +var location = localConfig.disallowedLocation +var namePrefix = globalConfig.namePrefix + +// define template specific variables +var serviceShort = 'cos3' +resource cosmosDb 'Microsoft.DocumentDB/databaseAccounts@2023-03-15' = { + kind: 'GlobalDocumentDB' + name: '${namePrefix}${serviceShort}01' + location: location + properties: { + consistencyPolicy: { + defaultConsistencyLevel: 'Session' + maxIntervalInSeconds: 300 + maxStalenessPrefix: 100001 + } + locations: [ + { + locationName: location // this should violate the policy COSMOS-007 + failoverPriority: 0 + isZoneRedundant: false + } + ] + //capabilities: [] + databaseAccountOfferType: 'Standard' + enableMultipleWriteLocations: false + networkAclBypass: 'AzureServices' + enablePartitionMerge: false + publicNetworkAccess: 'Enabled' // this should violate the policy COSMOS-002, COSMOS-003 + minimalTlsVersion: 'Tls11' // this should violate the policy COSMOS-006 + disableKeyBasedMetadataWriteAccess: false // this should violate the policy COSMOS-005 + } +} diff --git a/tests/policy-integration-tests/cosmos-db/main.good.bicep b/tests/policy-integration-tests/cosmos-db/main.good.bicep new file mode 100644 index 0000000..a42688c --- /dev/null +++ b/tests/policy-integration-tests/cosmos-db/main.good.bicep @@ -0,0 +1,42 @@ +metadata itemDisplayName = 'Test Template for Cosmos DB' +metadata description = 'This template deploys the testing resource for Cosmos DB.' +metadata summary = 'Deploys test Cosmos DB resources that should comply with all policy assignments.' + +// ============ // +// variables // +// ============ // +// Load the configuration file +var globalConfig = loadJsonContent('../.shared/policy_integration_test_config.jsonc') +var localConfig = loadJsonContent('config.json') + +var location = localConfig.location +var namePrefix = globalConfig.namePrefix + +// define template specific variables +var serviceShort = 'cos2' +resource cosmosDb 'Microsoft.DocumentDB/databaseAccounts@2025-11-01-preview' = { + kind: 'GlobalDocumentDB' + name: '${namePrefix}${serviceShort}01' + location: location + properties: { + consistencyPolicy: { + defaultConsistencyLevel: 'Session' + maxIntervalInSeconds: 300 + maxStalenessPrefix: 100001 + } + locations: [ + { + locationName: location // this should comply with the policy COSMOS-007 + failoverPriority: 0 + isZoneRedundant: false + } + ] + databaseAccountOfferType: 'Standard' + enableMultipleWriteLocations: false + networkAclBypass: 'AzureServices' + enablePartitionMerge: false + publicNetworkAccess: 'Disabled' // this should comply with the policy COSMOS-002, COSMOS-003 + minimalTlsVersion: 'Tls12' // this should comply with the policy COSMOS-006 + disableKeyBasedMetadataWriteAccess: true // this should comply with the policy COSMOS-005 + } +} diff --git a/tests/policy-integration-tests/cosmos-db/main.test.bicep b/tests/policy-integration-tests/cosmos-db/main.test.bicep new file mode 100644 index 0000000..07e9270 --- /dev/null +++ b/tests/policy-integration-tests/cosmos-db/main.test.bicep @@ -0,0 +1,89 @@ +metadata itemDisplayName = 'Test Template for Cosmos DB' +metadata description = 'This template deploys the testing resource for Cosmos DB.' +metadata summary = 'Deploys test Cosmos DB resources.' + +// ============ // +// variables // +// ============ // +// Load the configuration file +var globalConfig = loadJsonContent('../.shared/policy_integration_test_config.jsonc') +var localConfig = loadJsonContent('config.json') +//Define required variables from the configuration files - change these based on your requirements +var tags = globalConfig.tags +var location = localConfig.location +var namePrefix = globalConfig.namePrefix +var subName = localConfig.testSubscription +var vnetResourceGroup = globalConfig.subscriptions[subName].networkResourceGroup +var vnetName = globalConfig.subscriptions[subName].vNet +var peSubnetName = globalConfig.subscriptions[subName].peSubnet + +var serviceShort = 'cos1' //use this to form the name of the resources deployed by this template. This is helpful to identify the resource in the portal and also useful if you want to have a policy that targets specific resources by name. For example, if you have a policy that audits whether storage accounts have secure transfer enabled, you can set serviceShort to 'st' and then in the policy definition, you can target resources with name starting with 'st' to only audit the storage accounts deployed by this test template. + +// ============ // +// resources // +// ============ // +resource vnet 'Microsoft.Network/virtualNetworks@2025-05-01' existing = { + name: vnetName + scope: az.resourceGroup(vnetResourceGroup) + + resource peSubnet 'subnets' existing = { name: peSubnetName } +} + +resource cosmosDb 'Microsoft.DocumentDB/databaseAccounts@2025-11-01-preview' = { + kind: 'GlobalDocumentDB' + name: '${namePrefix}${serviceShort}01' + location: location + tags: tags + properties: { + consistencyPolicy: { + defaultConsistencyLevel: 'Session' + maxIntervalInSeconds: 300 + maxStalenessPrefix: 100001 + } + locations: [ + { + locationName: location + failoverPriority: 0 + isZoneRedundant: false + } + ] + databaseAccountOfferType: 'Standard' + enableMultipleWriteLocations: false + networkAclBypass: 'AzureServices' + enablePartitionMerge: false + publicNetworkAccess: 'Disabled' + minimalTlsVersion: 'Tls12' + disableKeyBasedMetadataWriteAccess: true + //keyVaultKeyUri: '' // this should violate the policy COSMOS-004 + } +} + +resource pe 'Microsoft.Network/privateEndpoints@2025-05-01' = { + name: 'pe-${namePrefix}${serviceShort}-cosmosdb' + location: location + tags: tags + properties: { + subnet: { + id: vnet::peSubnet.id + } + privateLinkServiceConnections: [ + { + name: 'pe-${namePrefix}${serviceShort}-cosmosdb' + properties: { + privateLinkServiceId: cosmosDb.id + groupIds: [ + 'Sql' + ] + } + } + ] + } +} +// ============ // +// outputs // +// ============ // +//Specify the outputs that are required for the test +output name string = cosmosDb.name +output resourceId string = cosmosDb.id +output privateEndpointResourceId string = pe.id +output location string = cosmosDb.location diff --git a/tests/policy-integration-tests/cosmos-db/tests.ps1 b/tests/policy-integration-tests/cosmos-db/tests.ps1 new file mode 100644 index 0000000..b4c493f --- /dev/null +++ b/tests/policy-integration-tests/cosmos-db/tests.ps1 @@ -0,0 +1,98 @@ +#region generic sections for all tests +#Requires -Modules Az.Accounts, Az.PolicyInsights, Az.Resources +#Requires -Version 7.0 + +using module AzResourceTest + +$helperFunctionScriptPath = (resolve-path -relativeBasePath $PSScriptRoot -path '../../../scripts/pipelines/helper/helper-functions.ps1').Path + +#load helper +. $helperFunctionScriptPath + +#Run initiate-test script to set environment variables for test configuration and deployment +$globalConfigFilePath = (resolve-path -RelativeBasePath $PSScriptRoot -path '../.shared/policy_integration_test_config.jsonc').Path +$TestDirectory = $PSScriptRoot +Write-Output "Initiating test with global config file: $globalConfigFilePath and test directory: $TestDirectory" +$initiateTestScriptPath = (resolve-path -RelativeBasePath $PSScriptRoot -path '../.shared/initiate-test.ps1').Path +. $initiateTestScriptPath -globalConfigFilePath $globalConfigFilePath -TestDirectory $TestDirectory + +# Refer to the ../../docs/policy-integration-test-get-started.md for details on the expected variables to be set by the initiate-test script and the structure of those variables. +#endregion + +#region defining tests +<# +The following policy definitions are tested:. + - COSMOS-001: Azure Cosmos DB accounts should have local authentication disabled (Modify) + - COSMOS-002: Azure Cosmos DB accounts should have firewall rules (Deny) + - COSMOS-003: Azure Cosmos DB should disable public network access (Deny) + - COSMOS-004: Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest (Audit) + - COSMOS-005: Azure Cosmos DB key based metadata write access should be disabled (Deny) + - COSMOS-006: Azure Cosmos DB accounts should have a minimum TLS version (Deny) + - COSMOS-007: Azure Cosmos DB allowed locations (Deny) + - DS-014: Configure Diagnostic Setting for Azure Cosmos DB (DeployIfNotExists) + - PEDNS-017: Private DNS Record for Azure Cosmos DB SQL PE must exist (DeployIfNotExists) +#> + +#Parse deployment outputs +$resourceId = $script:bicepDeploymentOutputs.resourceId.value +$diagSettingsPolicyAssignmentId = $script:LocalConfig_policyAssignmentIds | Where-Object { $_ -imatch "$script:LocalConfig_diagSettingsAssignmentName`$" } +$peDNSPolicyAssignmentId = $script:LocalConfig_policyAssignmentIds | Where-Object { $_ -imatch "$script:LocalConfig_peDNSAssignmentName`$" } +$diagnosticSettingsId = "{0}{1}" -f $resourceId, $script:GlobalConfig_diagnosticSettingsIdSuffix +$cosmosPolicyAssignmentId = $script:LocalConfig_policyAssignmentIds | Where-Object { $_ -imatch "$script:LocalConfig_cosmosAssignmentName`$" } +$privateEndpointResourceId = $script:bicepDeploymentOutputs.privateEndpointResourceId.value +$privateEndpointPrivateDNSZoneGroupId = '{0}{1}' -f $privateEndpointResourceId, $script:GlobalConfig_privateEndpointPrivateDNSZoneGroupIdSuffix +$violatingPolicies = @( + @{ + policyAssignmentId = $cosmosPolicyAssignmentId + policyDefinitionReferenceId = 'COSMOS-002' + } + @{ + policyAssignmentId = $cosmosPolicyAssignmentId + policyDefinitionReferenceId = 'COSMOS-003' + } + @{ + policyAssignmentId = $cosmosPolicyAssignmentId + policyDefinitionReferenceId = 'COSMOS-005' + } + @{ + policyAssignmentId = $cosmosPolicyAssignmentId + policyDefinitionReferenceId = 'COSMOS-006' + } + @{ + policyAssignmentId = $cosmosPolicyAssignmentId + policyDefinitionReferenceId = 'COSMOS-007' + } +) +#define tests +$tests = @() + +#Modify / Append Policies +$tests += New-ARTPropertyValueTestConfig 'COSMOS-001: Local authentication should be disabled' $script:token $resourceId 'boolean' 'properties.disableLocalAuth' 'equals' $true + +# Audit Policies +$tests += New-ARTPolicyStateTestConfig 'COSMOS-004: Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest' $script:token $resourceId $cosmosPolicyAssignmentId 'NonCompliant' 'COSMOS-004' + +#DeployIfNotExists Policies +$tests += New-ARTResourceExistenceTestConfig 'DS-014: Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace.' $script:token $diagnosticSettingsId 'exists' $script:GlobalConfig_diagnosticSettingsAPIVersion +$tests += New-ARTPolicyStateTestConfig 'DS-014: Diagnostic Settings Policy Must Be Compliant' $script:token $resourceId $diagSettingsPolicyAssignmentId 'Compliant' 'DS-014' +$tests += New-ARTResourceExistenceTestConfig 'PEDNS-017: Private DNS Record for Azure Cosmos DB SQL PE must exist' $script:token $privateEndpointPrivateDNSZoneGroupId 'exists' $script:GlobalConfig_privateDNSZoneGroupAPIVersion +$tests += New-ARTPolicyStateTestConfig 'PEDNS-017: Private DNS Record Policy Must Be Compliant' $script:token $privateEndpointResourceId $peDNSPolicyAssignmentId 'Compliant' 'PEDNS-017' + +#Deny policies (testing both positive and negative scenarios) +$tests += New-ARTWhatIfDeploymentTestConfig 'Policy abiding deployment should succeed' $script:token $script:whatIfComplyBicepTemplatePath $script:bicepDeploymentResult.bicepDeploymentTarget 'Succeeded' -maxRetry $script:GlobalConfig_whatIfMaxRetry +$tests += New-ARTWhatIfDeploymentTestConfig 'Policy violating deployment should fail' $script:token $script:whatIfViolateBicepTemplatePath $script:bicepDeploymentResult.bicepDeploymentTarget 'Failed' $violatingPolicies -maxRetry $script:GlobalConfig_whatIfMaxRetry +# +#endregion + +#region Invoke tests - do not modify +$params = @{ + tests = $tests + testTitle = $script:testTitle + contextTitle = $script:contextTitle + testSuiteName = $script:testSuiteName + OutputFile = $script:outputFilePath + OutputFormat = $script:GlobalConfig_testOutputFormat +} +Test-ARTResourceConfiguration @params + +#endregion diff --git a/tests/policy-integration-tests/event-hub/tests.ps1 b/tests/policy-integration-tests/event-hub/tests.ps1 index 4d4b035..e8ceddf 100755 --- a/tests/policy-integration-tests/event-hub/tests.ps1 +++ b/tests/policy-integration-tests/event-hub/tests.ps1 @@ -53,9 +53,9 @@ $tests += New-ARTPolicyStateTestConfig 'EH-004: Event Hub Namespace use CMK encr $tests += New-ARTPolicyStateTestConfig 'EH-005: Event Hub Namespace should use Private Endpoint' $script:token $eventHubNoPeResourceId $ehPolicyAssignmentId 'NonCompliant' 'EH-005' #DeployIfNotExists Policies -$tests += New-ARTResourceExistenceTestConfig 'DS-022: Deploy Diagnostic Settings for Container Registry to Log Analytics workspace.' $script:token $diagnosticSettingsId 'exists' $script:GlobalConfig_diagnosticSettingsAPIVersion +$tests += New-ARTResourceExistenceTestConfig 'DS-022: Deploy Diagnostic Settings for Event Hub to Log Analytics workspace.' $script:token $diagnosticSettingsId 'exists' $script:GlobalConfig_diagnosticSettingsAPIVersion $tests += New-ARTPolicyStateTestConfig 'DS-022: Diagnostic Settings Policy Must Be Compliant' $script:token $resourceId $diagSettingsPolicyAssignmentId 'Compliant' 'DS-022' -$tests += New-ARTResourceExistenceTestConfig 'PEDNS-007: Private DNS Record for Azure Container Registry PE must exist' $script:token $privateEndpointPrivateDNSZoneGroupId 'exists' $script:GlobalConfig_privateDNSZoneGroupAPIVersion +$tests += New-ARTResourceExistenceTestConfig 'PEDNS-007: Private DNS Record for Azure Event Hub PE must exist' $script:token $privateEndpointPrivateDNSZoneGroupId 'exists' $script:GlobalConfig_privateDNSZoneGroupAPIVersion $tests += New-ARTPolicyStateTestConfig 'PEDNS-007: Private DNS Record Policy Must Be Compliant' $script:token $privateEndpointResourceId $peDNSPolicyAssignmentId 'Compliant' 'PEDNS-007' #Deny policies (testing both positive and negative scenarios) diff --git a/tests/policy-integration-tests/postgresql/main.bad.bicep b/tests/policy-integration-tests/postgresql/main.bad.bicep index 96e3488..bad93db 100644 --- a/tests/policy-integration-tests/postgresql/main.bad.bicep +++ b/tests/policy-integration-tests/postgresql/main.bad.bicep @@ -113,7 +113,7 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2025-05-01' = { } } -resource postgresql 'Microsoft.DBforPostgreSQL/flexibleServers@2026-01-01-preview' = { +resource postgresql 'Microsoft.DBforPostgreSQL/flexibleServers@2025-12-01-preview' = { name: postgreSqlName location: location sku: { diff --git a/tests/policy-integration-tests/postgresql/main.good.bicep b/tests/policy-integration-tests/postgresql/main.good.bicep index 5fcc587..f326f09 100644 --- a/tests/policy-integration-tests/postgresql/main.good.bicep +++ b/tests/policy-integration-tests/postgresql/main.good.bicep @@ -110,7 +110,7 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2025-05-01' = { } } -resource postgresql 'Microsoft.DBforPostgreSQL/flexibleServers@2026-01-01-preview' = { +resource postgresql 'Microsoft.DBforPostgreSQL/flexibleServers@2025-12-01-preview' = { name: postgreSqlName location: location sku: {