From 287e366e7437d122c98549d77de65d42011d30a7 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Wed, 22 Apr 2026 17:33:51 +1000 Subject: [PATCH 01/46] udpate category and add cognitive service policy --- .../pol-audit-deny-sql-server-aad-auth.json | 2 +- ...audit-deny-sql-server-public-endpoint.json | 2 +- ...pol-audit-deny-sql-server-tls-version.json | 2 +- .../pol-audit-sql-advanced-data-security.json | 2 +- ...pol-audit-sql-server-private-endpoint.json | 2 +- .../pol-audit-sql-vuln-assessment.json | 2 +- ...deploy-sql-database-auditing-settings.json | 2 +- .../azure-sql/pol-deploy-sql-tde.json | 2 +- .../pol-restrict-cog-local-auth.json | 46 +++++++++++++++++++ ...dit-acr-disable-public-network-access.json | 2 +- .../pol-audit-acr-encrypt-with-cmk.json | 2 +- .../pol-audit-acr-using-premium-sku.json | 2 +- ...eny-cdb-disable-public-network-access.json | 2 +- .../pol-audit-deny-cdb-encrypt-with-cmk.json | 2 +- ...l-audit-deny-cdb-firewall-rule-exists.json | 2 +- ...dit-deny-cdb-key-based-metadata-write.json | 2 +- .../pol-audit-deny-cdb-local-auth.json | 2 +- .../pol-audit-adx-private-endpoints.json | 2 +- .../pol-deny-adx-disk-encryption.json | 2 +- .../pol-deny-adx-double-encryption.json | 2 +- .../pol-deny-adx-encrypt-with-cmk.json | 2 +- .../pol-deny-adx-public-network-access.json | 2 +- .../pol-audit-adf-private-endpoints.json | 2 +- ...-audit-adf-use-git-for-source-control.json | 2 +- ...-linked-services-should-use-key-vault.json | 2 +- ...pol-deny-adf-ir-limit-number-of-cores.json | 2 +- ...ify-adf-disable-public-network-access.json | 2 +- ...eny-adb-cluster-public-network-access.json | 2 +- ...y-adb-workspace-public-network-access.json | 2 +- .../pol-deny-adb-workspace-sku.json | 4 +- .../pol-deny-adb-workspace-vnet.json | 2 +- .../pol-deploy-adb-private-dns-zones.json | 4 +- .../pol-deny-general-allowed-locations.json | 2 +- .../general/pol-deny-resource-provider.json | 2 +- .../general/pol-deny-resource-type.json | 2 +- ...ppend-kv-soft-delete-purge-protection.json | 2 +- ...l-audit-deny-kv-public-network-access.json | 2 +- .../pol-enforce-kv-purge-protection.json | 2 +- .../pol-enforce-kv-rbac-authorization.json | 2 +- .../pol-audit-law-table-retention.json | 2 +- .../pol-allowed-service-tags-in-nsg-rule.json | 2 +- .../pol-deny-service-tag-in-nsg-rule.json | 2 +- .../pol-deny-service-tag-in-nsg.json | 2 +- ...eploy-nsg-flow-logs-traffic-analytics.json | 4 +- .../pol-deny-auto-approved-pe.json | 2 +- .../pol-restrict-cross-sub-pe.json | 2 +- .../pol-restrict-pe-group-id.json | 2 +- ...ords-multiple-dns-zones-all-locations.json | 2 +- ...ds-multiple-dns-zones-single-location.json | 2 +- ...records-single-dns-zone-all-locations.json | 2 +- ...cords-single-dns-zone-single-location.json | 2 +- ...single-zone-all-regions-match-groupid.json | 2 +- ...it-deny-purview-public-network-access.json | 2 +- .../pol-audit-purview-private-endpoint.json | 2 +- ...y-redis-disable-public-network-access.json | 2 +- ...-redis-enable-only-secure-connections.json | 2 +- ...dit-redis-configure-private-endpoints.json | 2 +- .../rsv/pol-audit-rsv-private-endpoint.json | 2 +- ...-audit-storage-account-cmk-encryption.json | 2 +- ...ount-should-prevent-shared-key-access.json | 2 +- ...storage-account-use-double-encryption.json | 2 +- ...y-storage-account-minimum-tls-version.json | 2 +- ...age-account-prevent-cross-tenant-repl.json | 2 +- ...-deny-storage-account-public-endpoint.json | 2 +- ...-account-restrict-allowed-copy-scopes.json | 2 +- ...ccount-restrict-virtual-network-rules.json | 2 +- ...-deny-storage-account-secure-transfer.json | 2 +- ...counts-should-restrict-network-access.json | 2 +- ...ge-account-advanced-threat-protection.json | 2 +- ...ploy-storage-account-blob-soft-delete.json | 2 +- ...pol-audit-deny-nic-with-ip-forwarding.json | 2 +- .../pol-audit-deny-nic-with-public-ip.json | 2 +- .../pol-audit-deny-vm-update-assessment.json | 2 +- ...-enable-adaptive-application-controls.json | 2 +- ...cing-vms-should-be-protected-with-nsg.json | 2 +- ...l-audit-vm-restrict-nsg-network-ports.json | 2 +- ...l-deny-vm-install-approved-extensions.json | 2 +- ...restrict-rdp-ssh-access-from-internet.json | 2 +- ...malware-extension-for-windows-servers.json | 2 +- .../pol-deploy-vm-shutdown-schedule.json | 2 +- .../pol-audit-nsg-on-subnet.json | 2 +- .../pol-deny-gateway-subnet-with-nsg.json | 2 +- .../vnet/pol-deny-subnet-without-nsg.json | 2 +- ...l-deny-app-traffic-via-public-network.json | 2 +- ...sallowed-easy-auth-identity-providers.json | 2 +- ...app-config-traffic-via-public-network.json | 2 +- ...-slots-app-traffic-via-public-network.json | 2 +- ...ots-config-traffic-via-public-network.json | 2 +- 88 files changed, 136 insertions(+), 90 deletions(-) create mode 100644 policyDefinitions/cognitive-service/pol-restrict-cog-local-auth.json rename policyDefinitions/{network-security-group => vnet}/pol-audit-nsg-on-subnet.json (97%) diff --git a/policyDefinitions/azure-sql/pol-audit-deny-sql-server-aad-auth.json b/policyDefinitions/azure-sql/pol-audit-deny-sql-server-aad-auth.json index 25423da..afdfbc0 100644 --- a/policyDefinitions/azure-sql/pol-audit-deny-sql-server-aad-auth.json +++ b/policyDefinitions/azure-sql/pol-audit-deny-sql-server-aad-auth.json @@ -4,7 +4,7 @@ "displayName": "Azure SQL Database should have Azure Active Directory Only Authentication enabled", "description": "Disabling local authentication methods and allowing only Azure Active Directory Authentication improves security by ensuring that Azure SQL Databases can exclusively be accessed by Azure Active Directory identities. Learn more at: aka.ms/adonlycreate.", "metadata": { - "category": "Network Security", + "category": "Azure SQL", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/azure-sql/pol-audit-deny-sql-server-public-endpoint.json b/policyDefinitions/azure-sql/pol-audit-deny-sql-server-public-endpoint.json index 8c8d475..c6e4f3c 100644 --- a/policyDefinitions/azure-sql/pol-audit-deny-sql-server-public-endpoint.json +++ b/policyDefinitions/azure-sql/pol-audit-deny-sql-server-public-endpoint.json @@ -4,7 +4,7 @@ "displayName": "Public network access on Azure SQL Database should be disabled", "description": "Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules.", "metadata": { - "category": "Network Security", + "category": "Azure SQL", "version": "1.1.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/azure-sql/pol-audit-deny-sql-server-tls-version.json b/policyDefinitions/azure-sql/pol-audit-deny-sql-server-tls-version.json index c351897..0fc835d 100644 --- a/policyDefinitions/azure-sql/pol-audit-deny-sql-server-tls-version.json +++ b/policyDefinitions/azure-sql/pol-audit-deny-sql-server-tls-version.json @@ -4,7 +4,7 @@ "displayName": "Azure SQL Database should be running TLS version 1.2 or newer", "description": "Setting TLS version to 1.2 or newer improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.", "metadata": { - "category": "Application and Database security", + "category": "Azure SQL", "version": "2.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/azure-sql/pol-audit-sql-advanced-data-security.json b/policyDefinitions/azure-sql/pol-audit-sql-advanced-data-security.json index 61647ae..f059533 100644 --- a/policyDefinitions/azure-sql/pol-audit-sql-advanced-data-security.json +++ b/policyDefinitions/azure-sql/pol-audit-sql-advanced-data-security.json @@ -4,7 +4,7 @@ "displayName": "Azure Defender for SQL should be enabled for unprotected Azure SQL servers", "description": "Audit SQL servers without Advanced Data Security", "metadata": { - "category": "Application and Database security", + "category": "Azure SQL", "version": "2.0.1", "preview": false, "deprecated": false, diff --git a/policyDefinitions/azure-sql/pol-audit-sql-server-private-endpoint.json b/policyDefinitions/azure-sql/pol-audit-sql-server-private-endpoint.json index 4eae95f..485d015 100644 --- a/policyDefinitions/azure-sql/pol-audit-sql-server-private-endpoint.json +++ b/policyDefinitions/azure-sql/pol-audit-sql-server-private-endpoint.json @@ -4,7 +4,7 @@ "displayName": "Private endpoint connections on Azure SQL Database should be enabled", "description": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.", "metadata": { - "category": "Network security", + "category": "Azure SQL", "version": "1.1.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/azure-sql/pol-audit-sql-vuln-assessment.json b/policyDefinitions/azure-sql/pol-audit-sql-vuln-assessment.json index a0b69a8..81fa169 100644 --- a/policyDefinitions/azure-sql/pol-audit-sql-vuln-assessment.json +++ b/policyDefinitions/azure-sql/pol-audit-sql-vuln-assessment.json @@ -4,7 +4,7 @@ "displayName": "Vulnerability assessment should be enabled on your SQL servers", "description": "Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.", "metadata": { - "category": "Application and Database security", + "category": "Azure SQL", "version": "2.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/azure-sql/pol-deploy-sql-database-auditing-settings.json b/policyDefinitions/azure-sql/pol-deploy-sql-database-auditing-settings.json index 6830be5..873fdbb 100644 --- a/policyDefinitions/azure-sql/pol-deploy-sql-database-auditing-settings.json +++ b/policyDefinitions/azure-sql/pol-deploy-sql-database-auditing-settings.json @@ -4,7 +4,7 @@ "displayName": "Deploy SQL database auditing settings", "description": "Deploy auditing settings to SQL Database when it not exist in the deployment.", "metadata": { - "category": "Application and Database security", + "category": "Azure SQL", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/azure-sql/pol-deploy-sql-tde.json b/policyDefinitions/azure-sql/pol-deploy-sql-tde.json index 18dd831..eaa780d 100644 --- a/policyDefinitions/azure-sql/pol-deploy-sql-tde.json +++ b/policyDefinitions/azure-sql/pol-deploy-sql-tde.json @@ -4,7 +4,7 @@ "displayName": "Deploy SQL Database Transparent Data Encryption", "description": "Deploy the Transparent Data Encryption when it is not enabled in the deployment.", "metadata": { - "category": "Application and Database security", + "category": "Azure SQL", "version": "2.1.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/cognitive-service/pol-restrict-cog-local-auth.json b/policyDefinitions/cognitive-service/pol-restrict-cog-local-auth.json new file mode 100644 index 0000000..5ad76d0 --- /dev/null +++ b/policyDefinitions/cognitive-service/pol-restrict-cog-local-auth.json @@ -0,0 +1,46 @@ +{ + "name": "pol-restrict-cog-local-auth", + "properties": { + "displayName": "Cognitive Services accounts should have local authentication methods disabled", + "description": "Disable local authentication methods so that your Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth.", + "metadata": { + "category": "Cognitive Services", + "version": "1.0.0", + "preview": false, + "deprecated": false + }, + "mode": "Indexed", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts" + }, + { + "field": "Microsoft.CognitiveServices/accounts/disableLocalAuth", + "notEquals": true + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} diff --git a/policyDefinitions/container-registry/pol-audit-acr-disable-public-network-access.json b/policyDefinitions/container-registry/pol-audit-acr-disable-public-network-access.json index 67adb37..3141cde 100644 --- a/policyDefinitions/container-registry/pol-audit-acr-disable-public-network-access.json +++ b/policyDefinitions/container-registry/pol-audit-acr-disable-public-network-access.json @@ -4,7 +4,7 @@ "displayName": "Public network access should be disabled for Container registries", "description": "Disabling public network access improves security by ensuring that container registries are not exposed on the public internet. Creating private endpoints can limit exposure of container registry resources.", "metadata": { - "category": "Network Security", + "category": "Container Registry", "version": "1.0.0", "preview": false, "deprecated": true, diff --git a/policyDefinitions/container-registry/pol-audit-acr-encrypt-with-cmk.json b/policyDefinitions/container-registry/pol-audit-acr-encrypt-with-cmk.json index a94ea9f..868da50 100644 --- a/policyDefinitions/container-registry/pol-audit-acr-encrypt-with-cmk.json +++ b/policyDefinitions/container-registry/pol-audit-acr-encrypt-with-cmk.json @@ -4,7 +4,7 @@ "displayName": "Container registries should be encrypted with a customer-managed key", "description": "Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.", "metadata": { - "category": "Network Security", + "category": "Container Registry", "version": "1.1.2", "preview": false, "deprecated": false, diff --git a/policyDefinitions/container-registry/pol-audit-acr-using-premium-sku.json b/policyDefinitions/container-registry/pol-audit-acr-using-premium-sku.json index aff39e6..d06682f 100644 --- a/policyDefinitions/container-registry/pol-audit-acr-using-premium-sku.json +++ b/policyDefinitions/container-registry/pol-audit-acr-using-premium-sku.json @@ -4,7 +4,7 @@ "displayName": "Container registries should have SKUs that support Private Links", "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your container registries instead of the entire service, data leakage risks are reduced. Learn more at: https://aka.ms/acr/private-link.", "metadata": { - "category": "Network Security", + "category": "Container Registry", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/cosmos-db/pol-audit-deny-cdb-disable-public-network-access.json b/policyDefinitions/cosmos-db/pol-audit-deny-cdb-disable-public-network-access.json index 36f11b0..a5cde03 100644 --- a/policyDefinitions/cosmos-db/pol-audit-deny-cdb-disable-public-network-access.json +++ b/policyDefinitions/cosmos-db/pol-audit-deny-cdb-disable-public-network-access.json @@ -4,7 +4,7 @@ "displayName": "Azure Cosmos DB should disable public network access", "description": "Disabling public network access improves security by ensuring that your CosmosDB account isn't exposed on the public internet. Creating private endpoints can limit exposure of your CosmosDB account.", "metadata": { - "category": "Network Security", + "category": "Cosmos DB", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/cosmos-db/pol-audit-deny-cdb-encrypt-with-cmk.json b/policyDefinitions/cosmos-db/pol-audit-deny-cdb-encrypt-with-cmk.json index db4d615..edd73a7 100644 --- a/policyDefinitions/cosmos-db/pol-audit-deny-cdb-encrypt-with-cmk.json +++ b/policyDefinitions/cosmos-db/pol-audit-deny-cdb-encrypt-with-cmk.json @@ -4,7 +4,7 @@ "displayName": "Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest", "description": "Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk.", "metadata": { - "category": "Network Security", + "category": "Cosmos DB", "version": "1.1.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/cosmos-db/pol-audit-deny-cdb-firewall-rule-exists.json b/policyDefinitions/cosmos-db/pol-audit-deny-cdb-firewall-rule-exists.json index 1e4fedc..efc245f 100644 --- a/policyDefinitions/cosmos-db/pol-audit-deny-cdb-firewall-rule-exists.json +++ b/policyDefinitions/cosmos-db/pol-audit-deny-cdb-firewall-rule-exists.json @@ -4,7 +4,7 @@ "displayName": "Azure Cosmos DB accounts should have firewall rules", "description": "Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant.", "metadata": { - "category": "Network Security", + "category": "Cosmos DB", "version": "2.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/cosmos-db/pol-audit-deny-cdb-key-based-metadata-write.json b/policyDefinitions/cosmos-db/pol-audit-deny-cdb-key-based-metadata-write.json index da58771..16f6c68 100644 --- a/policyDefinitions/cosmos-db/pol-audit-deny-cdb-key-based-metadata-write.json +++ b/policyDefinitions/cosmos-db/pol-audit-deny-cdb-key-based-metadata-write.json @@ -4,7 +4,7 @@ "displayName": "Azure Cosmos DB key based metadata write access should be disabled", "description": "This policy restricts Azure Cosmos DB accounts disable key based metadata write access.", "metadata": { - "category": "Data Protection", + "category": "Cosmos DB", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/cosmos-db/pol-audit-deny-cdb-local-auth.json b/policyDefinitions/cosmos-db/pol-audit-deny-cdb-local-auth.json index 8145ca8..e1e7ee8 100644 --- a/policyDefinitions/cosmos-db/pol-audit-deny-cdb-local-auth.json +++ b/policyDefinitions/cosmos-db/pol-audit-deny-cdb-local-auth.json @@ -4,7 +4,7 @@ "displayName": "Cosmos DB database accounts should have local authentication methods disabled", "description": "Disabling local authentication methods improves security by ensuring that Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth.", "metadata": { - "category": "Data Protection", + "category": "Cosmos DB", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/data-explorer/pol-audit-adx-private-endpoints.json b/policyDefinitions/data-explorer/pol-audit-adx-private-endpoints.json index 57a7c22..1efed97 100644 --- a/policyDefinitions/data-explorer/pol-audit-adx-private-endpoints.json +++ b/policyDefinitions/data-explorer/pol-audit-adx-private-endpoints.json @@ -4,7 +4,7 @@ "displayName": "Azure Data Explorer Cluster should use private link", "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Data Explorer cluster, data leakage risks are reduced. Learn more about private links at: https://learn.microsoft.com/en-us/azure/data-explorer/security-network-private-endpoint.", "metadata": { - "category": "Network Security", + "category": "Data Explorer", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/data-explorer/pol-deny-adx-disk-encryption.json b/policyDefinitions/data-explorer/pol-deny-adx-disk-encryption.json index 5decab3..c09699d 100644 --- a/policyDefinitions/data-explorer/pol-deny-adx-disk-encryption.json +++ b/policyDefinitions/data-explorer/pol-deny-adx-disk-encryption.json @@ -4,7 +4,7 @@ "displayName": "Disk encryption should be enabled on Azure Data Explorer", "description": "Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments.", "metadata": { - "category": "Data Protection", + "category": "Data Explorer", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/data-explorer/pol-deny-adx-double-encryption.json b/policyDefinitions/data-explorer/pol-deny-adx-double-encryption.json index b865d4e..aeb9ceb 100644 --- a/policyDefinitions/data-explorer/pol-deny-adx-double-encryption.json +++ b/policyDefinitions/data-explorer/pol-deny-adx-double-encryption.json @@ -4,7 +4,7 @@ "displayName": "Double encryption should be enabled on Azure Data Explorer", "description": "Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys.", "metadata": { - "category": "Data Protection", + "category": "Data Explorer", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/data-explorer/pol-deny-adx-encrypt-with-cmk.json b/policyDefinitions/data-explorer/pol-deny-adx-encrypt-with-cmk.json index aa67a97..09ad52e 100644 --- a/policyDefinitions/data-explorer/pol-deny-adx-encrypt-with-cmk.json +++ b/policyDefinitions/data-explorer/pol-deny-adx-encrypt-with-cmk.json @@ -4,7 +4,7 @@ "displayName": "Azure Data Explorer encryption at rest should use a customer-managed key", "description": "Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys.", "metadata": { - "category": "Data Protection", + "category": "Data Explorer", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/data-explorer/pol-deny-adx-public-network-access.json b/policyDefinitions/data-explorer/pol-deny-adx-public-network-access.json index b376410..cfd2114 100644 --- a/policyDefinitions/data-explorer/pol-deny-adx-public-network-access.json +++ b/policyDefinitions/data-explorer/pol-deny-adx-public-network-access.json @@ -4,7 +4,7 @@ "displayName": "Public network access on Azure Data Explorer should be disabled", "description": "Disabling the public network access property improves security by ensuring Azure Data Explorer can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules.", "metadata": { - "category": "Network Security", + "category": "Data Explorer", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/data-factory/pol-audit-adf-private-endpoints.json b/policyDefinitions/data-factory/pol-audit-adf-private-endpoints.json index 8923d9a..4007543 100644 --- a/policyDefinitions/data-factory/pol-audit-adf-private-endpoints.json +++ b/policyDefinitions/data-factory/pol-audit-adf-private-endpoints.json @@ -4,7 +4,7 @@ "displayName": "Azure Data Factory should use private link", "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link.", "metadata": { - "category": "Network Security", + "category": "Data Factory", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/data-factory/pol-audit-adf-use-git-for-source-control.json b/policyDefinitions/data-factory/pol-audit-adf-use-git-for-source-control.json index e6a0d34..3adf8e4 100644 --- a/policyDefinitions/data-factory/pol-audit-adf-use-git-for-source-control.json +++ b/policyDefinitions/data-factory/pol-audit-adf-use-git-for-source-control.json @@ -4,7 +4,7 @@ "displayName": "Azure Data Factory should use a Git repository for source control", "description": "Enable source control on data factories, to gain capabilities such as change tracking, collaboration, continuous integration, and deployment.", "metadata": { - "category": "Data Protection", + "category": "Data Factory", "version": "1.0.0-preview", "preview": true, "deprecated": false, diff --git a/policyDefinitions/data-factory/pol-audit-deny-adf-linked-services-should-use-key-vault.json b/policyDefinitions/data-factory/pol-audit-deny-adf-linked-services-should-use-key-vault.json index ad3c91a..20d1cd2 100644 --- a/policyDefinitions/data-factory/pol-audit-deny-adf-linked-services-should-use-key-vault.json +++ b/policyDefinitions/data-factory/pol-audit-deny-adf-linked-services-should-use-key-vault.json @@ -4,7 +4,7 @@ "displayName": "Azure Data Factory linked services should use Key Vault for storing secrets", "description": "To ensure secrets (such as connection strings) are managed securely, require users to provide secrets using an Azure Key Vault instead of specifying them inline in linked services.", "metadata": { - "category": "Data Protection", + "category": "Data Factory", "version": "1.0.0-preview", "preview": true, "deprecated": false, diff --git a/policyDefinitions/data-factory/pol-deny-adf-ir-limit-number-of-cores.json b/policyDefinitions/data-factory/pol-deny-adf-ir-limit-number-of-cores.json index 9a9a17a..775ad54 100644 --- a/policyDefinitions/data-factory/pol-deny-adf-ir-limit-number-of-cores.json +++ b/policyDefinitions/data-factory/pol-deny-adf-ir-limit-number-of-cores.json @@ -4,7 +4,7 @@ "displayName": "Azure Data Factory integration runtime should have a limit for number of cores", "description": "To manage your resources and costs, limit the number of cores for an integration runtime.", "metadata": { - "category": "Cost Management", + "category": "Data Factory", "version": "1.0.0-preview", "preview": true, "deprecated": false, diff --git a/policyDefinitions/data-factory/pol-modify-adf-disable-public-network-access.json b/policyDefinitions/data-factory/pol-modify-adf-disable-public-network-access.json index 9ac3049..0f0a991 100644 --- a/policyDefinitions/data-factory/pol-modify-adf-disable-public-network-access.json +++ b/policyDefinitions/data-factory/pol-modify-adf-disable-public-network-access.json @@ -4,7 +4,7 @@ "displayName": "Configure Data Factories to disable public network access", "description": "Disable public network access for your Data Factory so that it is not accessible over the public internet. This can reduce data leakage risks.", "metadata": { - "category": "Network Security", + "category": "Data Factory", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/databricks/pol-deny-adb-cluster-public-network-access.json b/policyDefinitions/databricks/pol-deny-adb-cluster-public-network-access.json index fc1c0af..e7036c1 100644 --- a/policyDefinitions/databricks/pol-deny-adb-cluster-public-network-access.json +++ b/policyDefinitions/databricks/pol-deny-adb-cluster-public-network-access.json @@ -4,7 +4,7 @@ "displayName": "Azure Databricks Clusters should disable public IP", "description": "Disabling public IP of clusters in Azure Databricks Workspaces improves security by ensuring that the clusters aren't exposed on the public internet. Learn more at: https://learn.microsoft.com/azure/databricks/security/secure-cluster-connectivity.", "metadata": { - "category": "Network Security", + "category": "Databricks", "version": "1.0.1", "preview": false, "deprecated": false, diff --git a/policyDefinitions/databricks/pol-deny-adb-workspace-public-network-access.json b/policyDefinitions/databricks/pol-deny-adb-workspace-public-network-access.json index c84488b..c66c9bd 100644 --- a/policyDefinitions/databricks/pol-deny-adb-workspace-public-network-access.json +++ b/policyDefinitions/databricks/pol-deny-adb-workspace-public-network-access.json @@ -4,7 +4,7 @@ "displayName": "Azure Databricks Workspaces should disable public network access", "description": "Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can control exposure of your resources by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/private-link.", "metadata": { - "category": "Network Security", + "category": "Databricks", "version": "1.0.1", "preview": false, "deprecated": false, diff --git a/policyDefinitions/databricks/pol-deny-adb-workspace-sku.json b/policyDefinitions/databricks/pol-deny-adb-workspace-sku.json index 6ff5137..d30344b 100644 --- a/policyDefinitions/databricks/pol-deny-adb-workspace-sku.json +++ b/policyDefinitions/databricks/pol-deny-adb-workspace-sku.json @@ -4,7 +4,7 @@ "displayName": "Azure Databricks workspaces should be Premium SKU that supports features like private link", "description": "Only allow Databricks workspace with Premium Sku that your organization can deploy to support features like Private Link, customer-managed key for encryption. Learn more at: https://aka.ms/adbpe.", "metadata": { - "category": "Network Security", + "category": "Databricks", "version": "1.0.1", "preview": false, "deprecated": false, @@ -16,7 +16,7 @@ "type": "String", "metadata": { "displayName": "Effect", - "description": "Enable or disable the execution of the audit policy" + "description": "The desired effect of the policy." }, "allowedValues": [ "Audit", diff --git a/policyDefinitions/databricks/pol-deny-adb-workspace-vnet.json b/policyDefinitions/databricks/pol-deny-adb-workspace-vnet.json index b32e469..d635b0e 100644 --- a/policyDefinitions/databricks/pol-deny-adb-workspace-vnet.json +++ b/policyDefinitions/databricks/pol-deny-adb-workspace-vnet.json @@ -4,7 +4,7 @@ "displayName": "Azure Databricks Workspaces should be in a virtual network", "description": "Azure Virtual Networks provide enhanced security and isolation for your Azure Databricks Workspaces, as well as subnets, access control policies, and other features to further restrict access. Learn more at: https://docs.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject.", "metadata": { - "category": "Network Security", + "category": "Databricks", "version": "1.0.2", "preview": false, "deprecated": false, diff --git a/policyDefinitions/databricks/pol-deploy-adb-private-dns-zones.json b/policyDefinitions/databricks/pol-deploy-adb-private-dns-zones.json index ee13f9a..6bbf66c 100644 --- a/policyDefinitions/databricks/pol-deploy-adb-private-dns-zones.json +++ b/policyDefinitions/databricks/pol-deploy-adb-private-dns-zones.json @@ -4,7 +4,7 @@ "displayName": "Configure Azure Databricks workspace to use private DNS zones", "description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Databricks workspaces. Learn more at: https://aka.ms/adbpe.", "metadata": { - "category": "Network Security", + "category": "Databricks", "version": "1.0.0", "preview": false, "deprecated": false @@ -36,7 +36,7 @@ "type": "String", "metadata": { "displayName": "Effect", - "description": "Enable or disable the execution of the policy" + "description": "The desired effect of the policy." }, "allowedValues": [ "DeployIfNotExists", diff --git a/policyDefinitions/general/pol-deny-general-allowed-locations.json b/policyDefinitions/general/pol-deny-general-allowed-locations.json index 0cde8bf..2ef2e34 100644 --- a/policyDefinitions/general/pol-deny-general-allowed-locations.json +++ b/policyDefinitions/general/pol-deny-general-allowed-locations.json @@ -4,7 +4,7 @@ "displayName": "Allowed locations", "description": "This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region.", "metadata": { - "category": "Identity and Access Management", + "category": "General", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/general/pol-deny-resource-provider.json b/policyDefinitions/general/pol-deny-resource-provider.json index dc7469a..646431d 100644 --- a/policyDefinitions/general/pol-deny-resource-provider.json +++ b/policyDefinitions/general/pol-deny-resource-provider.json @@ -4,7 +4,7 @@ "displayName": "Deny Resource Provider", "description": "This policy enables you to restrict all resources from a specific resource provider from being created.", "metadata": { - "category": "Asset Management", + "category": "General", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/general/pol-deny-resource-type.json b/policyDefinitions/general/pol-deny-resource-type.json index 23afedd..32cc8e8 100644 --- a/policyDefinitions/general/pol-deny-resource-type.json +++ b/policyDefinitions/general/pol-deny-resource-type.json @@ -4,7 +4,7 @@ "displayName": "Deny Resource Type", "description": "This policy enables you to restrict a specific type of resource from being created.", "metadata": { - "category": "Asset Management", + "category": "General", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/key-vault/pol-append-kv-soft-delete-purge-protection.json b/policyDefinitions/key-vault/pol-append-kv-soft-delete-purge-protection.json index fbec811..6a0cda0 100644 --- a/policyDefinitions/key-vault/pol-append-kv-soft-delete-purge-protection.json +++ b/policyDefinitions/key-vault/pol-append-kv-soft-delete-purge-protection.json @@ -4,7 +4,7 @@ "displayName": "Automatically enable Key vault Soft-Delete and Purge Protection", "description": "This policy automatically enables Soft-Delete and Purge Protection for the Azure Key Vault if not already enabled.", "metadata": { - "category": "Data Protection", + "category": "Key Vault", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/key-vault/pol-audit-deny-kv-public-network-access.json b/policyDefinitions/key-vault/pol-audit-deny-kv-public-network-access.json index d8e9b95..7911f5c 100644 --- a/policyDefinitions/key-vault/pol-audit-deny-kv-public-network-access.json +++ b/policyDefinitions/key-vault/pol-audit-deny-kv-public-network-access.json @@ -4,7 +4,7 @@ "displayName": "Azure Key Vault should disable public network access", "description": "Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks.", "metadata": { - "category": "Network Security", + "category": "Key Vault", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/key-vault/pol-enforce-kv-purge-protection.json b/policyDefinitions/key-vault/pol-enforce-kv-purge-protection.json index 9a3ed3c..ebef1fc 100644 --- a/policyDefinitions/key-vault/pol-enforce-kv-purge-protection.json +++ b/policyDefinitions/key-vault/pol-enforce-kv-purge-protection.json @@ -4,7 +4,7 @@ "displayName": "Key vaults should have purge protection enabled", "description": "Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.", "metadata": { - "category": "Identity and Access management", + "category": "Key Vault", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/key-vault/pol-enforce-kv-rbac-authorization.json b/policyDefinitions/key-vault/pol-enforce-kv-rbac-authorization.json index 0a2a165..ddae62d 100644 --- a/policyDefinitions/key-vault/pol-enforce-kv-rbac-authorization.json +++ b/policyDefinitions/key-vault/pol-enforce-kv-rbac-authorization.json @@ -4,7 +4,7 @@ "displayName": "Azure Key Vault should use RBAC permission model", "description": "Enable RBAC permission model across Key Vaults. Learn more at: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-migration", "metadata": { - "category": "Identity and Access management", + "category": "Key Vault", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/log-analytics/pol-audit-law-table-retention.json b/policyDefinitions/log-analytics/pol-audit-law-table-retention.json index 40f3f64..a63471f 100644 --- a/policyDefinitions/log-analytics/pol-audit-law-table-retention.json +++ b/policyDefinitions/log-analytics/pol-audit-law-table-retention.json @@ -4,7 +4,7 @@ "displayName": "Audit Log Analytics workspace table retention", "description": "Audit the minimum data retention for Log Analytics tables.", "metadata": { - "category": "Data Protection", + "category": "Log Analytics", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/network-security-group/pol-allowed-service-tags-in-nsg-rule.json b/policyDefinitions/network-security-group/pol-allowed-service-tags-in-nsg-rule.json index 9c041b0..898f0fb 100644 --- a/policyDefinitions/network-security-group/pol-allowed-service-tags-in-nsg-rule.json +++ b/policyDefinitions/network-security-group/pol-allowed-service-tags-in-nsg-rule.json @@ -5,7 +5,7 @@ "mode": "All", "description": "This policy restrict the use of disallowed service tags in Network Security Group Security Rules.", "metadata": { - "category": "Network Security", + "category": "Network Security Group", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/network-security-group/pol-deny-service-tag-in-nsg-rule.json b/policyDefinitions/network-security-group/pol-deny-service-tag-in-nsg-rule.json index 132d701..14e3bed 100644 --- a/policyDefinitions/network-security-group/pol-deny-service-tag-in-nsg-rule.json +++ b/policyDefinitions/network-security-group/pol-deny-service-tag-in-nsg-rule.json @@ -5,7 +5,7 @@ "mode": "All", "description": "This policy restricts the use of specific service tag in NSG rules", "metadata": { - "category": "Network Security", + "category": "Network Security Group", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/network-security-group/pol-deny-service-tag-in-nsg.json b/policyDefinitions/network-security-group/pol-deny-service-tag-in-nsg.json index 328b75d..e395188 100644 --- a/policyDefinitions/network-security-group/pol-deny-service-tag-in-nsg.json +++ b/policyDefinitions/network-security-group/pol-deny-service-tag-in-nsg.json @@ -5,7 +5,7 @@ "mode": "All", "description": "This policy deny's the use of specific service tag in NSG rules", "metadata": { - "category": "Network Security", + "category": "Network Security Group", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/network-security-group/pol-deploy-nsg-flow-logs-traffic-analytics.json b/policyDefinitions/network-security-group/pol-deploy-nsg-flow-logs-traffic-analytics.json index 7c29169..7c02e3b 100644 --- a/policyDefinitions/network-security-group/pol-deploy-nsg-flow-logs-traffic-analytics.json +++ b/policyDefinitions/network-security-group/pol-deploy-nsg-flow-logs-traffic-analytics.json @@ -1,13 +1,13 @@ { "name": "pol-deploy-nsg-flow-logs-traffic-analytics", "properties": { - "displayName": "Configure network security groups to enable traffic analytics", + "displayName": "[Deprecated] Configure network security groups to enable traffic analytics", "description": "Traffic analytics can be enabled for all network security groups hosted in a particular region with the settings provided during policy creation. If it already has Traffic analytics enabled, then policy does not overwrite its settings. Flow Logs are also enabled for the Network security groups that do not have it. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks.", "metadata": { "category": "Logging and monitoring", "version": "1.0.0", "preview": false, - "deprecated": false, + "deprecated": true, "source_builtIn_name": "e920df7f-9a64-4066-9b58-52684c02a091" }, "mode": "Indexed", diff --git a/policyDefinitions/private-endpoint/pol-deny-auto-approved-pe.json b/policyDefinitions/private-endpoint/pol-deny-auto-approved-pe.json index c6e0d33..e75e132 100644 --- a/policyDefinitions/private-endpoint/pol-deny-auto-approved-pe.json +++ b/policyDefinitions/private-endpoint/pol-deny-auto-approved-pe.json @@ -4,7 +4,7 @@ "displayName": "Restrict Automatically Approved Private Endpoints for a resource type", "description": "When creating a Private Endpoint for a selected resource type, the Private Endpoint must be configured for manual approval.", "metadata": { - "category": "Network Security", + "category": "Private Endpoint", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/private-endpoint/pol-restrict-cross-sub-pe.json b/policyDefinitions/private-endpoint/pol-restrict-cross-sub-pe.json index 0eb0af2..87a8cf0 100644 --- a/policyDefinitions/private-endpoint/pol-restrict-cross-sub-pe.json +++ b/policyDefinitions/private-endpoint/pol-restrict-cross-sub-pe.json @@ -5,7 +5,7 @@ "description": "This policy restrict cross-subscription Private Endpoints except for the service aliases or resource Ids from the approved list.", "mode": "Indexed", "metadata": { - "category": "Network Security", + "category": "Private Endpoint", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/private-endpoint/pol-restrict-pe-group-id.json b/policyDefinitions/private-endpoint/pol-restrict-pe-group-id.json index 9332896..c1ba9ef 100644 --- a/policyDefinitions/private-endpoint/pol-restrict-pe-group-id.json +++ b/policyDefinitions/private-endpoint/pol-restrict-pe-group-id.json @@ -5,7 +5,7 @@ "mode": "Indexed", "description": "This policy deny's the use of specific Group Id in Private Endpoints", "metadata": { - "category": "Network Security", + "category": "Private Endpoint", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-multiple-dns-zones-all-locations.json b/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-multiple-dns-zones-all-locations.json index 6fd903e..e19b443 100644 --- a/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-multiple-dns-zones-all-locations.json +++ b/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-multiple-dns-zones-all-locations.json @@ -4,7 +4,7 @@ "displayName": "Configure Private Endpoints to use Private DNS Zones (Multiple DNS Zones All Locations)", "description": "This policy creates a Private DNS Group link for a Azure PaaS Private Endpoint Resource that requires DNS records in multiple Private DNS zones.", "metadata": { - "category": "Network Security", + "category": "Private Endpoint", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-multiple-dns-zones-single-location.json b/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-multiple-dns-zones-single-location.json index 7d54256..026e8f3 100644 --- a/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-multiple-dns-zones-single-location.json +++ b/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-multiple-dns-zones-single-location.json @@ -4,7 +4,7 @@ "displayName": "Configure Private Endpoints to use Private DNS Zones (Multiple DNS Zones Single Location)", "description": "This policy creates a Private DNS Group link for a Azure PaaS Private Endpoint Resource that requires DNS records in multiple Private DNS zones.", "metadata": { - "category": "Network Security", + "category": "Private Endpoint", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-single-dns-zone-all-locations.json b/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-single-dns-zone-all-locations.json index 50eaf53..7290c2d 100644 --- a/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-single-dns-zone-all-locations.json +++ b/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-single-dns-zone-all-locations.json @@ -4,7 +4,7 @@ "displayName": "Configure Private Endpoints to use Private DNS Zones (Single DNS Zone All Locations)", "description": "This policy creates a Private DNS Group link for a Azure PaaS Private Endpoint Resource that requires a DNS record in a single Private DNS zone.", "metadata": { - "category": "Network Security", + "category": "Private Endpoint", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-single-dns-zone-single-location.json b/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-single-dns-zone-single-location.json index 85f5632..d1b5bb3 100644 --- a/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-single-dns-zone-single-location.json +++ b/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-single-dns-zone-single-location.json @@ -4,7 +4,7 @@ "displayName": "Configure Private Endpoints to use Private DNS Zones (Single DNS Zone Single Location)", "description": "This policy creates a Private DNS Group link for a Azure PaaS Private Endpoint Resource that requires a DNS record in a single location-specific Private DNS zone.", "metadata": { - "category": "Network Security", + "category": "Private Endpoint", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-single-zone-all-regions-match-groupid.json b/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-single-zone-all-regions-match-groupid.json index 7f528d4..a852a0d 100644 --- a/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-single-zone-all-regions-match-groupid.json +++ b/policyDefinitions/private-endpoints-dns-registration/pol-deploy-pe-dns-records-single-zone-all-regions-match-groupid.json @@ -4,7 +4,7 @@ "displayName": "Configure Private Endpoints to use Private DNS Zones (Single DNS Zone All Regions with Wildcard Group ID Match)", "description": "This policy creates a Private DNS Group link for a Azure PaaS Private Endpoint Resource that requires a DNS record in a single Private DNS zone with Wildcard Group ID Match.", "metadata": { - "category": "Network Security", + "category": "Private Endpoint", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/purview/pol-audit-deny-purview-public-network-access.json b/policyDefinitions/purview/pol-audit-deny-purview-public-network-access.json index 9567a9a..fb67c3a 100644 --- a/policyDefinitions/purview/pol-audit-deny-purview-public-network-access.json +++ b/policyDefinitions/purview/pol-audit-deny-purview-public-network-access.json @@ -4,7 +4,7 @@ "displayName": "Azure Purview Accounts should disable public network access", "description": "Disable public network access for your Azure Purview Accounts so that it's not accessible over the public internet. This can reduce data leakage risks", "metadata": { - "category": "Network Security", + "category": "Purview", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/purview/pol-audit-purview-private-endpoint.json b/policyDefinitions/purview/pol-audit-purview-private-endpoint.json index 3507bbf..811d21f 100644 --- a/policyDefinitions/purview/pol-audit-purview-private-endpoint.json +++ b/policyDefinitions/purview/pol-audit-purview-private-endpoint.json @@ -4,7 +4,7 @@ "displayName": "Azure Purview accounts should use private link", "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Purview accounts instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/purview-private-link.", "metadata": { - "category": "Network security", + "category": "Purview", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/redis-cache/pol-audit-deny-redis-disable-public-network-access.json b/policyDefinitions/redis-cache/pol-audit-deny-redis-disable-public-network-access.json index 435e089..4e7f5be 100644 --- a/policyDefinitions/redis-cache/pol-audit-deny-redis-disable-public-network-access.json +++ b/policyDefinitions/redis-cache/pol-audit-deny-redis-disable-public-network-access.json @@ -4,7 +4,7 @@ "displayName": "Azure Cache for Redis should disable public network access", "description": "Disabling public network access improves security by ensuring that the Azure Cache for Redis isn't exposed on the public internet. You can limit exposure of your Azure Cache for Redis by creating private endpoints instead.", "metadata": { - "category": "Network Security", + "category": "Redis Cache", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/redis-cache/pol-audit-deny-redis-enable-only-secure-connections.json b/policyDefinitions/redis-cache/pol-audit-deny-redis-enable-only-secure-connections.json index b4c23ba..a99fa4a 100644 --- a/policyDefinitions/redis-cache/pol-audit-deny-redis-enable-only-secure-connections.json +++ b/policyDefinitions/redis-cache/pol-audit-deny-redis-enable-only-secure-connections.json @@ -4,7 +4,7 @@ "displayName": "Only secure connections to your Azure Cache for Redis should be enabled", "description": "Deny connections to Azure Cache for Redis if not via SSL. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.", "metadata": { - "category": "Data Protection", + "category": "Redis Cache", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/redis-cache/pol-audit-redis-configure-private-endpoints.json b/policyDefinitions/redis-cache/pol-audit-redis-configure-private-endpoints.json index 957b179..32562d6 100644 --- a/policyDefinitions/redis-cache/pol-audit-redis-configure-private-endpoints.json +++ b/policyDefinitions/redis-cache/pol-audit-redis-configure-private-endpoints.json @@ -4,7 +4,7 @@ "displayName": "Azure Cache for Redis should use private link", "description": "Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link.", "metadata": { - "category": "Network Security", + "category": "Redis Cache", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/rsv/pol-audit-rsv-private-endpoint.json b/policyDefinitions/rsv/pol-audit-rsv-private-endpoint.json index 53a4297..6e95014 100644 --- a/policyDefinitions/rsv/pol-audit-rsv-private-endpoint.json +++ b/policyDefinitions/rsv/pol-audit-rsv-private-endpoint.json @@ -4,7 +4,7 @@ "displayName": "Azure Recovery Services vaults should use private link for backup", "description": "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links at: https://aka.ms/AB-PrivateEndpoints.", "metadata": { - "category": "Network security", + "category": "Recovery Services Vault", "version": "2.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/storage-account/pol-audit-storage-account-cmk-encryption.json b/policyDefinitions/storage-account/pol-audit-storage-account-cmk-encryption.json index c1f0594..805cde2 100644 --- a/policyDefinitions/storage-account/pol-audit-storage-account-cmk-encryption.json +++ b/policyDefinitions/storage-account/pol-audit-storage-account-cmk-encryption.json @@ -4,7 +4,7 @@ "displayName": "Storage accounts should use customer-managed key for encryption", "description": "TSecure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data", "metadata": { - "category": "Data Protection", + "category": "Storage Account", "version": "1.0.3", "preview": false, "deprecated": false, diff --git a/policyDefinitions/storage-account/pol-audit-storage-account-should-prevent-shared-key-access.json b/policyDefinitions/storage-account/pol-audit-storage-account-should-prevent-shared-key-access.json index c123c57..64472b5 100644 --- a/policyDefinitions/storage-account/pol-audit-storage-account-should-prevent-shared-key-access.json +++ b/policyDefinitions/storage-account/pol-audit-storage-account-should-prevent-shared-key-access.json @@ -4,7 +4,7 @@ "displayName": "Storage accounts should prevent shared key access", "description": "Audit requirement of Azure Active Directory (Azure AD) to authorize requests for your storage account. By default, requests can be authorized with either Azure Active Directory credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft.", "metadata": { - "category": "Network Security", + "category": "Storage Account", "version": "1.1.1", "preview": false, "deprecated": false, diff --git a/policyDefinitions/storage-account/pol-audit-storage-account-use-double-encryption.json b/policyDefinitions/storage-account/pol-audit-storage-account-use-double-encryption.json index fb00577..9bd53e6 100644 --- a/policyDefinitions/storage-account/pol-audit-storage-account-use-double-encryption.json +++ b/policyDefinitions/storage-account/pol-audit-storage-account-use-double-encryption.json @@ -4,7 +4,7 @@ "displayName": "Storage account encryption scopes should use double encryption for data at rest", "description": "Enable infrastructure encryption for encryption at rest of your storage account encryption scopes for added security. Infrastructure encryption ensures that your data is encrypted twice.", "metadata": { - "category": "Data Protection", + "category": "Storage Account", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/storage-account/pol-deny-storage-account-minimum-tls-version.json b/policyDefinitions/storage-account/pol-deny-storage-account-minimum-tls-version.json index ed86d5f..ef1d1db 100644 --- a/policyDefinitions/storage-account/pol-deny-storage-account-minimum-tls-version.json +++ b/policyDefinitions/storage-account/pol-deny-storage-account-minimum-tls-version.json @@ -4,7 +4,7 @@ "displayName": "Storage accounts should have the specified minimum TLS version", "description": "Configure a minimum TLS version for secure communication between the client application and the storage account. To minimize security risk, the recommended minimum TLS version is the latest released version, which is currently TLS 1.2.", "metadata": { - "category": "Network Security", + "category": "Storage Account", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/storage-account/pol-deny-storage-account-prevent-cross-tenant-repl.json b/policyDefinitions/storage-account/pol-deny-storage-account-prevent-cross-tenant-repl.json index 055e0f7..e85753c 100644 --- a/policyDefinitions/storage-account/pol-deny-storage-account-prevent-cross-tenant-repl.json +++ b/policyDefinitions/storage-account/pol-deny-storage-account-prevent-cross-tenant-repl.json @@ -4,7 +4,7 @@ "displayName": "Storage accounts should prevent cross tenant object replication", "description": "Audit restriction of object replication for your storage account. By default, users can configure object replication with a source storage account in one Azure AD tenant and a destination account in a different tenant. It is a security concern because customer's data can be replicated to a storage account that is owned by the customer. By setting allowCrossTenantReplication to false, objects replication can be configured only if both source and destination accounts are in the same Azure AD tenant.", "metadata": { - "category": "Data Protection", + "category": "Storage Account", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/storage-account/pol-deny-storage-account-public-endpoint.json b/policyDefinitions/storage-account/pol-deny-storage-account-public-endpoint.json index 2c00033..ed20755 100644 --- a/policyDefinitions/storage-account/pol-deny-storage-account-public-endpoint.json +++ b/policyDefinitions/storage-account/pol-deny-storage-account-public-endpoint.json @@ -4,7 +4,7 @@ "displayName": "Restrict Storage Account with public network access", "description": "This policy audits or denies creation of Storage Accounts that allows public network access. To be compliant with this policy, the minimum ARM API version for the 'Microsoft.storage/storageAccounts' must be 2021-06-01 or higher.", "metadata": { - "category": "Network Security", + "category": "Storage Account", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/storage-account/pol-deny-storage-account-restrict-allowed-copy-scopes.json b/policyDefinitions/storage-account/pol-deny-storage-account-restrict-allowed-copy-scopes.json index 42999b5..98e4f44 100644 --- a/policyDefinitions/storage-account/pol-deny-storage-account-restrict-allowed-copy-scopes.json +++ b/policyDefinitions/storage-account/pol-deny-storage-account-restrict-allowed-copy-scopes.json @@ -4,7 +4,7 @@ "displayName": "Storage accounts should prevent permitted copy scopes from any storage accounts", "description": "Restrict copy operations from source storage accounts that are within the same Microsoft Entra tenant or that have a private link to the same virtual network as this storage account.", "metadata": { - "category": "Data Protection", + "category": "Storage Account", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/storage-account/pol-deny-storage-account-restrict-virtual-network-rules.json b/policyDefinitions/storage-account/pol-deny-storage-account-restrict-virtual-network-rules.json index 95e231f..6d3f9d4 100644 --- a/policyDefinitions/storage-account/pol-deny-storage-account-restrict-virtual-network-rules.json +++ b/policyDefinitions/storage-account/pol-deny-storage-account-restrict-virtual-network-rules.json @@ -4,7 +4,7 @@ "displayName": "Storage accounts should restrict network access using virtual network rules", "description": "Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.", "metadata": { - "category": "Network Security", + "category": "Storage Account", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/storage-account/pol-deny-storage-account-secure-transfer.json b/policyDefinitions/storage-account/pol-deny-storage-account-secure-transfer.json index e580d50..36dcb66 100644 --- a/policyDefinitions/storage-account/pol-deny-storage-account-secure-transfer.json +++ b/policyDefinitions/storage-account/pol-deny-storage-account-secure-transfer.json @@ -4,7 +4,7 @@ "displayName": "Secure transfer to storage accounts should be enabled", "description": "Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking. Premium File Storage is excluded from this policy since NFS Shares require secure transfers to be disabled.", "metadata": { - "category": "Network Security", + "category": "Storage Account", "version": "1.0.0", "preview": false, "deprecated": true, diff --git a/policyDefinitions/storage-account/pol-deny-storage-accounts-should-restrict-network-access.json b/policyDefinitions/storage-account/pol-deny-storage-accounts-should-restrict-network-access.json index 75a56d1..fb2fa9e 100644 --- a/policyDefinitions/storage-account/pol-deny-storage-accounts-should-restrict-network-access.json +++ b/policyDefinitions/storage-account/pol-deny-storage-accounts-should-restrict-network-access.json @@ -4,7 +4,7 @@ "displayName": "Storage accounts should restrict network access", "description": "Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.", "metadata": { - "category": "Network Security", + "category": "Storage Account", "version": "1.1.1", "preview": false, "deprecated": false, diff --git a/policyDefinitions/storage-account/pol-deploy-storage-account-advanced-threat-protection.json b/policyDefinitions/storage-account/pol-deploy-storage-account-advanced-threat-protection.json index f02bd9c..261f39a 100644 --- a/policyDefinitions/storage-account/pol-deploy-storage-account-advanced-threat-protection.json +++ b/policyDefinitions/storage-account/pol-deploy-storage-account-advanced-threat-protection.json @@ -4,7 +4,7 @@ "displayName": "Deploy Advanced Threat Protection on storage accounts", "description": "This policy enables Advanced Threat Protection on storage accounts.", "metadata": { - "category": "Threat and Vulnerability Management", + "category": "Storage Account", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/storage-account/pol-deploy-storage-account-blob-soft-delete.json b/policyDefinitions/storage-account/pol-deploy-storage-account-blob-soft-delete.json index c8109bb..c32a9b1 100644 --- a/policyDefinitions/storage-account/pol-deploy-storage-account-blob-soft-delete.json +++ b/policyDefinitions/storage-account/pol-deploy-storage-account-blob-soft-delete.json @@ -4,7 +4,7 @@ "displayName": "Deploy Storage Account Blob Service Soft Delete", "description": "This policy enables soft delete for Storage Account Blob Service.", "metadata": { - "category": "Data Protection", + "category": "Storage Account", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/virtual-machine/pol-audit-deny-nic-with-ip-forwarding.json b/policyDefinitions/virtual-machine/pol-audit-deny-nic-with-ip-forwarding.json index a1d9378..4f63dc2 100644 --- a/policyDefinitions/virtual-machine/pol-audit-deny-nic-with-ip-forwarding.json +++ b/policyDefinitions/virtual-machine/pol-audit-deny-nic-with-ip-forwarding.json @@ -4,7 +4,7 @@ "displayName": "Network interfaces should disable IP forwarding", "description": "This policy audits or denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team.", "metadata": { - "category": "Network Security", + "category": "Compute", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/virtual-machine/pol-audit-deny-nic-with-public-ip.json b/policyDefinitions/virtual-machine/pol-audit-deny-nic-with-public-ip.json index 1b89b47..b8653c1 100644 --- a/policyDefinitions/virtual-machine/pol-audit-deny-nic-with-public-ip.json +++ b/policyDefinitions/virtual-machine/pol-audit-deny-nic-with-public-ip.json @@ -4,7 +4,7 @@ "displayName": "Network interfaces should not have public IPs", "description": "This policy audits or denies the network interfaces which are configured with any public IP. Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources to communicate outbound to the internet. This should be reviewed by the network security team.", "metadata": { - "category": "Network Security", + "category": "Compute", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/virtual-machine/pol-audit-deny-vm-update-assessment.json b/policyDefinitions/virtual-machine/pol-audit-deny-vm-update-assessment.json index aa1f202..8546220 100644 --- a/policyDefinitions/virtual-machine/pol-audit-deny-vm-update-assessment.json +++ b/policyDefinitions/virtual-machine/pol-audit-deny-vm-update-assessment.json @@ -4,7 +4,7 @@ "displayName": "Machines should be configured to periodically check for missing system updates", "description": "To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.", "metadata": { - "category": "Threat and Vulnerability Management", + "category": "Compute", "version": "2.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/virtual-machine/pol-audit-vm-enable-adaptive-application-controls.json b/policyDefinitions/virtual-machine/pol-audit-vm-enable-adaptive-application-controls.json index 8c9646e..258d38f 100644 --- a/policyDefinitions/virtual-machine/pol-audit-vm-enable-adaptive-application-controls.json +++ b/policyDefinitions/virtual-machine/pol-audit-vm-enable-adaptive-application-controls.json @@ -4,7 +4,7 @@ "displayName": "Adaptive application controls for defining safe applications should be enabled on your machines", "description": "Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications.", "metadata": { - "category": "Compute-VM", + "category": "Compute", "version": "3.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/virtual-machine/pol-audit-vm-internet-facing-vms-should-be-protected-with-nsg.json b/policyDefinitions/virtual-machine/pol-audit-vm-internet-facing-vms-should-be-protected-with-nsg.json index 8d9d63d..c83dd11 100644 --- a/policyDefinitions/virtual-machine/pol-audit-vm-internet-facing-vms-should-be-protected-with-nsg.json +++ b/policyDefinitions/virtual-machine/pol-audit-vm-internet-facing-vms-should-be-protected-with-nsg.json @@ -4,7 +4,7 @@ "displayName": "Internet-facing virtual machines should be protected with network security groups", "description": "This policy protects your internet-facing virtual machines from potential threats by restricting access with network security groups (NSG).", "metadata": { - "category": "Network Security", + "category": "Compute", "version": "3.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/virtual-machine/pol-audit-vm-restrict-nsg-network-ports.json b/policyDefinitions/virtual-machine/pol-audit-vm-restrict-nsg-network-ports.json index f7caf33..4533574 100644 --- a/policyDefinitions/virtual-machine/pol-audit-vm-restrict-nsg-network-ports.json +++ b/policyDefinitions/virtual-machine/pol-audit-vm-restrict-nsg-network-ports.json @@ -4,7 +4,7 @@ "displayName": "All network ports should be restricted on network security groups associated to your virtual machine", "description": "Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.", "metadata": { - "category": "Compute-VM", + "category": "Compute", "version": "3.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/virtual-machine/pol-deny-vm-install-approved-extensions.json b/policyDefinitions/virtual-machine/pol-deny-vm-install-approved-extensions.json index 72c3f96..c3a22d6 100644 --- a/policyDefinitions/virtual-machine/pol-deny-vm-install-approved-extensions.json +++ b/policyDefinitions/virtual-machine/pol-deny-vm-install-approved-extensions.json @@ -4,7 +4,7 @@ "displayName": "Only approved VM extensions should be installed", "description": "This policy governs the virtual machine extensions that are not approved. Any unapproved VM extensions would be denied.", "metadata": { - "category": "Compute-VM", + "category": "Compute", "version": "1.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/virtual-machine/pol-deny-vm-restrict-rdp-ssh-access-from-internet.json b/policyDefinitions/virtual-machine/pol-deny-vm-restrict-rdp-ssh-access-from-internet.json index ebcde29..fd37216 100644 --- a/policyDefinitions/virtual-machine/pol-deny-vm-restrict-rdp-ssh-access-from-internet.json +++ b/policyDefinitions/virtual-machine/pol-deny-vm-restrict-rdp-ssh-access-from-internet.json @@ -4,7 +4,7 @@ "displayName": "RDP and SSH access from the Internet should be blocked", "description": "This policy denies any network security rule that allows RDP or SSH access from Internet.", "metadata": { - "category": "Network Security", + "category": "Compute", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/virtual-machine/pol-deploy-vm-iaasantimalware-extension-for-windows-servers.json b/policyDefinitions/virtual-machine/pol-deploy-vm-iaasantimalware-extension-for-windows-servers.json index c2d5c4a..c46844f 100644 --- a/policyDefinitions/virtual-machine/pol-deploy-vm-iaasantimalware-extension-for-windows-servers.json +++ b/policyDefinitions/virtual-machine/pol-deploy-vm-iaasantimalware-extension-for-windows-servers.json @@ -4,7 +4,7 @@ "displayName": "Deploy default Microsoft IaaSAntimalware extension for Windows Server with custom configurations", "description": "This policy deploys a Microsoft IaaSAntimalware extension with custom configuration when a VM is not configured with the antimalware extension.", "metadata": { - "category": "Threat and Vulnerability Management", + "category": "Compute", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/virtual-machine/pol-deploy-vm-shutdown-schedule.json b/policyDefinitions/virtual-machine/pol-deploy-vm-shutdown-schedule.json index e54a4e2..f18c3aa 100644 --- a/policyDefinitions/virtual-machine/pol-deploy-vm-shutdown-schedule.json +++ b/policyDefinitions/virtual-machine/pol-deploy-vm-shutdown-schedule.json @@ -4,7 +4,7 @@ "displayName": "Deploy Virtual Machine Auto Shutdown Schedule", "description": "This policy deploys a Auto shutdown schedule for a Virtual Machine.", "metadata": { - "category": "Asset Management", + "category": "Compute", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/network-security-group/pol-audit-nsg-on-subnet.json b/policyDefinitions/vnet/pol-audit-nsg-on-subnet.json similarity index 97% rename from policyDefinitions/network-security-group/pol-audit-nsg-on-subnet.json rename to policyDefinitions/vnet/pol-audit-nsg-on-subnet.json index ed9f5f9..3cb9fb9 100644 --- a/policyDefinitions/network-security-group/pol-audit-nsg-on-subnet.json +++ b/policyDefinitions/vnet/pol-audit-nsg-on-subnet.json @@ -4,7 +4,7 @@ "displayName": "Subnets should be associated with a Network Security Group", "description": "Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.", "metadata": { - "category": "Logging and monitoring", + "category": "Virtual Network", "version": "3.0.0", "preview": false, "deprecated": false, diff --git a/policyDefinitions/vnet/pol-deny-gateway-subnet-with-nsg.json b/policyDefinitions/vnet/pol-deny-gateway-subnet-with-nsg.json index b2b9898..74d84ec 100644 --- a/policyDefinitions/vnet/pol-deny-gateway-subnet-with-nsg.json +++ b/policyDefinitions/vnet/pol-deny-gateway-subnet-with-nsg.json @@ -6,7 +6,7 @@ "description": "Gateway Subnets must not have a Network Security Group associated with them. This policy denies the creation of a Gateway Subnet with an NSG.", "metadata": { "version": "1.0.0", - "category": "Network", + "category": "Virtual Network", "preview": false, "deprecated": false }, diff --git a/policyDefinitions/vnet/pol-deny-subnet-without-nsg.json b/policyDefinitions/vnet/pol-deny-subnet-without-nsg.json index d782965..bbe882a 100644 --- a/policyDefinitions/vnet/pol-deny-subnet-without-nsg.json +++ b/policyDefinitions/vnet/pol-deny-subnet-without-nsg.json @@ -6,7 +6,7 @@ "description": "Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.", "metadata": { "version": "1.0.0", - "category": "Network", + "category": "Virtual Network", "preview": false, "deprecated": false }, diff --git a/policyDefinitions/web/pol-deny-app-traffic-via-public-network.json b/policyDefinitions/web/pol-deny-app-traffic-via-public-network.json index 3cbecec..af356e7 100644 --- a/policyDefinitions/web/pol-deny-app-traffic-via-public-network.json +++ b/policyDefinitions/web/pol-deny-app-traffic-via-public-network.json @@ -4,7 +4,7 @@ "displayName": "App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network", "description": "By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app.", "metadata": { - "category": "Network Security", + "category": "App Service", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/web/pol-deny-disallowed-easy-auth-identity-providers.json b/policyDefinitions/web/pol-deny-disallowed-easy-auth-identity-providers.json index 6fb452e..1ece90f 100644 --- a/policyDefinitions/web/pol-deny-disallowed-easy-auth-identity-providers.json +++ b/policyDefinitions/web/pol-deny-disallowed-easy-auth-identity-providers.json @@ -4,7 +4,7 @@ "displayName": "Function apps should only use approved identity providers for authentication", "description": "Only approved Easy Auth identity providers cant be used in Function Apps.", "metadata": { - "category": "Web", + "category": "App Service", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/web/pol-deny-fa-app-config-traffic-via-public-network.json b/policyDefinitions/web/pol-deny-fa-app-config-traffic-via-public-network.json index fc4a050..3ce1284 100644 --- a/policyDefinitions/web/pol-deny-fa-app-config-traffic-via-public-network.json +++ b/policyDefinitions/web/pol-deny-fa-app-config-traffic-via-public-network.json @@ -4,7 +4,7 @@ "displayName": "App Service and Function apps should route configuration traffic over the virtual network", "description": "Configuration routing affects operations that happen before or during startup of your app. Virtual network routing handles how both app and configuration traffic are routed from your virtual network and out.", "metadata": { - "category": "Network Security", + "category": "App Service", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/web/pol-deny-fa-slots-app-traffic-via-public-network.json b/policyDefinitions/web/pol-deny-fa-slots-app-traffic-via-public-network.json index a52bbdc..947c728 100644 --- a/policyDefinitions/web/pol-deny-fa-slots-app-traffic-via-public-network.json +++ b/policyDefinitions/web/pol-deny-fa-slots-app-traffic-via-public-network.json @@ -4,7 +4,7 @@ "displayName": "Function app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network", "description": "Application routing defines what traffic is routed from your app and into the virtual network.", "metadata": { - "category": "Network Security", + "category": "App Service", "version": "1.0.0", "preview": false, "deprecated": false diff --git a/policyDefinitions/web/pol-deny-fa-slots-config-traffic-via-public-network.json b/policyDefinitions/web/pol-deny-fa-slots-config-traffic-via-public-network.json index cd93b69..9349dda 100644 --- a/policyDefinitions/web/pol-deny-fa-slots-config-traffic-via-public-network.json +++ b/policyDefinitions/web/pol-deny-fa-slots-config-traffic-via-public-network.json @@ -4,7 +4,7 @@ "displayName": "Function app slots should route configuration traffic over the virtual network", "description": "Configuration routing affects operations that happen before or during startup of your app. Virtual network routing handles how both app and configuration traffic are routed from your virtual network and out.", "metadata": { - "category": "Network Security", + "category": "App Service", "version": "1.0.0", "preview": false, "deprecated": false From 56334c5f467ce1e56f4ab35238998c4c5f8a83e2 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Thu, 23 Apr 2026 11:32:02 +1000 Subject: [PATCH 02/46] Add new policies for Cognitive Services and update existing diagnostic settings Co-authored-by: Copilot --- policyAssignments/dev/pa-d-diag-settings.json | 3 + .../prod/pa-p-diag-settings.json | 3 + ...ol-restrict-cog-public-network-access.json | 55 +++++ .../pol-deploy-diag-cognitiveProjects.json | 190 ++++++++++++++++++ policyInitiatives/polset-diag-settings.json | 36 ++++ 5 files changed, 287 insertions(+) create mode 100644 policyDefinitions/cognitive-service/pol-restrict-cog-public-network-access.json create mode 100644 policyDefinitions/diagnostics-settings/pol-deploy-diag-cognitiveProjects.json diff --git a/policyAssignments/dev/pa-d-diag-settings.json b/policyAssignments/dev/pa-d-diag-settings.json index 2ff7317..60a67ec 100644 --- a/policyAssignments/dev/pa-d-diag-settings.json +++ b/policyAssignments/dev/pa-d-diag-settings.json @@ -204,6 +204,9 @@ }, "DS-062_Effect": { "value": "DeployIfNotExists" + }, + "DS-063_Effect": { + "value": "DeployIfNotExists" } }, "roleDefinitionIds": [ diff --git a/policyAssignments/prod/pa-p-diag-settings.json b/policyAssignments/prod/pa-p-diag-settings.json index 1880dc6..65b4d34 100644 --- a/policyAssignments/prod/pa-p-diag-settings.json +++ b/policyAssignments/prod/pa-p-diag-settings.json @@ -204,6 +204,9 @@ }, "DS-062_Effect": { "value": "DeployIfNotExists" + }, + "DS-063_Effect": { + "value": "DeployIfNotExists" } }, "roleDefinitionIds": [ diff --git a/policyDefinitions/cognitive-service/pol-restrict-cog-public-network-access.json b/policyDefinitions/cognitive-service/pol-restrict-cog-public-network-access.json new file mode 100644 index 0000000..11f6721 --- /dev/null +++ b/policyDefinitions/cognitive-service/pol-restrict-cog-public-network-access.json @@ -0,0 +1,55 @@ +{ + "name": "pol-restrict-cog-public-network-access", + "properties": { + "displayName": "Cognitive Services accounts should restrict public network access", + "description": "Disabling public network access improves security by ensuring that your Cognitive Services account isn't exposed on the public internet", + "metadata": { + "category": "Cognitive Services", + "version": "1.0.0", + "preview": false, + "deprecated": false + }, + "mode": "Indexed", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts" + }, + { + "anyOf": [ + { + "field": "Microsoft.CognitiveServices/accounts/publicNetworkAccess", + "notEquals": "Disabled" + }, + { + "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction", + "notEquals": "Deny" + } + ] + } + + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-cognitiveProjects.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-cognitiveProjects.json new file mode 100644 index 0000000..dba5f22 --- /dev/null +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-cognitiveProjects.json @@ -0,0 +1,190 @@ +{ + "name": "pol-deploy-diag-cognitiveProjects", + "properties": { + "displayName": "Deploys the diagnostic settings for Cognitive Services Projects to Log Analytics workspace", + "description": "This policy automatically deploys and enable diagnostic settings to Log Analytics", + "metadata": { + "category": "Logging and monitoring", + "version": "1.0.0", + "preview": false, + "deprecated": false + }, + "mode": "All", + "parameters": { + "profileName": { + "type": "string", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setByPolicy" + }, + "evaluationDelay": { + "type": "string", + "metadata": { + "displayName": "Evaluation Delay", + "description": "Specifies when the existence of the related resources should be evaluated. The delay is only used for evaluations that are a result of a create or update resource request. Allowed values are AfterProvisioning, AfterProvisioningSuccess, AfterProvisioningFailure, or an ISO 8601 duration between 0 and 360 minutes." + }, + "defaultValue": "AfterProvisioning" + }, + "effect": { + "type": "string", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "logAnalytics": { + "type": "string", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace", + "assignPermissions": true + } + }, + "metricsEnabled": { + "type": "string", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "logsEnabled": { + "type": "string", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts/projects" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "evaluationDelay": "[parameters('evaluationDelay')]", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "True" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "True" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "matchInsensitively": "[parameters('logAnalytics')]" + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "profileName": { + "type": "string" + }, + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "metricsEnabled": { + "type": "string" + }, + "logsEnabled": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.CognitiveServices/accounts/projects/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "profileName": { + "value": "[parameters('profileName')]" + }, + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('fullName')]" + } + } + } + } + } + } + } + } +} diff --git a/policyInitiatives/polset-diag-settings.json b/policyInitiatives/polset-diag-settings.json index 7109179..6d843f8 100644 --- a/policyInitiatives/polset-diag-settings.json +++ b/policyInitiatives/polset-diag-settings.json @@ -777,6 +777,18 @@ "Disabled" ], "defaultValue": "DeployIfNotExists" + }, + "DS-063_Effect": { + "type": "string", + "metadata": { + "displayName": "DS-063 Effect: Configure Diagnostic Setting for Azure Cognitive Services Projects", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" } }, "policyDefinitionGroups": [ @@ -2287,6 +2299,30 @@ "AU_ISM_580", "CB-AZ-021" ] + }, + { + "policyDefinitionReferenceId": "DS-063", + "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-deploy-diag-cognitiveProjects", + "parameters": { + "profileName": { + "value": "[parameters('profileName')]" + }, + "evaluationDelay": { + "value": "[parameters('evaluationDelay')]" + }, + "effect": { + "value": "[parameters('DS-063_Effect')]" + }, + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + } + }, + "groupNames": [ + "ISO27001-2013_A.12.4.1", + "ISO27001-2022_A.8.15", + "AU_ISM_580", + "CB-AZ-021" + ] } ] } From ce2b2cfb5dbb98e0c4f19777c0366961e3ebf924 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Thu, 23 Apr 2026 13:34:42 +1000 Subject: [PATCH 03/46] Refactor workflow configuration for clarity and consistency in policy initiatives Co-authored-by: Copilot --- .github/workflows/policy-initiatives.yml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/.github/workflows/policy-initiatives.yml b/.github/workflows/policy-initiatives.yml index 25e70be..c8c8d04 100644 --- a/.github/workflows/policy-initiatives.yml +++ b/.github/workflows/policy-initiatives.yml @@ -1,16 +1,17 @@ name: policy-initiatives on: - workflow_dispatch: # allows a manual run from the UI + workflow_dispatch: + # allows a manual run from the UI inputs: debug: description: "Enable debug logging" type: boolean default: false workflow_run: - workflows: ["policy-definitions"] # name of the triggering workflow - types: [completed] - branches: [main] + workflows: [ "policy-definitions" ] # name of the triggering workflow + types: [ completed ] + branches: [ main ] permissions: contents: read @@ -28,7 +29,8 @@ jobs: job_call_initiation: name: Initiation runs-on: ubuntu-latest - if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }} + if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name + == 'workflow_dispatch' }} steps: - name: "Checkout" uses: actions/checkout@v6 @@ -79,7 +81,7 @@ jobs: definition-file-path: "${{env.definitionFileDirectory}}" template-file-directory: "${{env.templateFileDirectory}}" bicep-file-path: "${{env.templateFileDirectory}}/${{env.templateFileName}}" - bicep-variable-name: "policyInitiatives" + bicep-variable-name: "policySetDefinitions" build-artifact-name: "policy_set_bicep_dev" job_build_prod: @@ -100,7 +102,7 @@ jobs: definition-file-path: "${{env.definitionFileDirectory}}" template-file-directory: "${{env.templateFileDirectory}}" bicep-file-path: "${{env.templateFileDirectory}}/${{env.templateFileName}}" - bicep-variable-name: "policyInitiatives" + bicep-variable-name: "policySetDefinitions" build-artifact-name: "policy_set_bicep_prod" job_test_dev: From 50189907367370b3a8fe632fffe27999bc57e8e4 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Thu, 23 Apr 2026 14:08:33 +1000 Subject: [PATCH 04/46] Add Azure Cosmos DB policies and assignments for security compliance Co-authored-by: Copilot --- policyAssignments/dev/pa-d-cosmos.json | 43 +++++++ policyAssignments/prod/pa-p-cosmos.json | 43 +++++++ .../pol-audit-deny-cbd-allowed-locations.json | 62 +++++++++++ ...ol-audit-deny-cdb-minimum-tls-version.json | 69 ++++++++++++ policyInitiatives/polset-cosmos-db.json | 105 ++++++++++++++++++ policyInitiatives/polset-monitor.json | 2 +- 6 files changed, 323 insertions(+), 1 deletion(-) create mode 100644 policyAssignments/dev/pa-d-cosmos.json create mode 100644 policyAssignments/prod/pa-p-cosmos.json create mode 100644 policyDefinitions/cosmos-db/pol-audit-deny-cbd-allowed-locations.json create mode 100644 policyDefinitions/cosmos-db/pol-audit-deny-cdb-minimum-tls-version.json diff --git a/policyAssignments/dev/pa-d-cosmos.json b/policyAssignments/dev/pa-d-cosmos.json new file mode 100644 index 0000000..daf4e98 --- /dev/null +++ b/policyAssignments/dev/pa-d-cosmos.json @@ -0,0 +1,43 @@ +{ + "$schema": "../policyAssignment.schema.json", + "policyAssignment": { + "name": "pa-d-cosmos", + "displayName": "Azure Cosmos DB Policies Dev", + "description": "Policy Assignment for Azure Cosmos DB - Dev", + "metadata": { + "category": "Azure Cosmos DB" + }, + "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policySetDefinitions/polset-cosmos-db", + "identity": "None", + "parameters": { + "COSMOS-001_Effect": { + "value": "Deny" + }, + "COSMOS-002_Effect": { + "value": "Deny" + }, + "COSMOS-003_Effect": { + "value": "Deny" + }, + "COSMOS-004_Effect": { + "value": "Audit" + }, + "COSMOS-005_Effect": { + "value": "Deny" + }, + "COSMOS-006_Effect": { + "value": "Deny" + }, + "COSMOS-006_minimalTlsVersion": { + "value": "Tls12" + }, + "COSMOS-007_Effect": { + "value": "Deny" + } + }, + "nonComplianceMessages": [], + "roleDefinitionIds": [] + }, + "definitionSourceManagementGroupId": "/providers/Microsoft.Management/managementGroups/CONTOSO-DEV", + "managementGroupId": "CONTOSO-DEV" +} diff --git a/policyAssignments/prod/pa-p-cosmos.json b/policyAssignments/prod/pa-p-cosmos.json new file mode 100644 index 0000000..6410c0f --- /dev/null +++ b/policyAssignments/prod/pa-p-cosmos.json @@ -0,0 +1,43 @@ +{ + "$schema": "../policyAssignment.schema.json", + "policyAssignment": { + "name": "pa-p-cosmos", + "displayName": "Azure Cosmos DB Policies Prod", + "description": "Policy Assignment for Azure Cosmos DB - Prod", + "metadata": { + "category": "Azure Cosmos DB" + }, + "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policySetDefinitions/polset-cosmos-db", + "identity": "None", + "parameters": { + "COSMOS-001_Effect": { + "value": "Deny" + }, + "COSMOS-002_Effect": { + "value": "Deny" + }, + "COSMOS-003_Effect": { + "value": "Deny" + }, + "COSMOS-004_Effect": { + "value": "Audit" + }, + "COSMOS-005_Effect": { + "value": "Deny" + }, + "COSMOS-006_Effect": { + "value": "Deny" + }, + "COSMOS-006_minimalTlsVersion": { + "value": "Tls12" + }, + "COSMOS-007_Effect": { + "value": "Deny" + } + }, + "nonComplianceMessages": [], + "roleDefinitionIds": [] + }, + "definitionSourceManagementGroupId": "/providers/Microsoft.Management/managementGroups/CONTOSO", + "managementGroupId": "CONTOSO" +} diff --git a/policyDefinitions/cosmos-db/pol-audit-deny-cbd-allowed-locations.json b/policyDefinitions/cosmos-db/pol-audit-deny-cbd-allowed-locations.json new file mode 100644 index 0000000..384a30d --- /dev/null +++ b/policyDefinitions/cosmos-db/pol-audit-deny-cbd-allowed-locations.json @@ -0,0 +1,62 @@ +{ + "name": "pol-audit-deny-cdb-allowed-locations", + "properties": { + "displayName": "Azure Cosmos DB allowed locations", + "policyType": "BuiltIn", + "mode": "Indexed", + "description": "This policy enables you to restrict the locations your organization can specify when deploying Azure Cosmos DB resources. Use to enforce your geo-compliance requirements.", + "metadata": { + "version": "1.1.0", + "category": "Cosmos DB", + "preview": false, + "deprecated": false, + "source_builtIn_name": "0473574d-2d43-4217-aefe-941fcdf7e684" + }, + "parameters": { + "listOfAllowedLocations": { + "type": "Array", + "metadata": { + "displayName": "Allowed locations", + "description": "The list of locations that can be specified when deploying Azure Cosmos DB resources.", + "strongType": "location" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Policy Effect", + "description": "The desired effect of the policy." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DocumentDB/databaseAccounts" + }, + { + "count": { + "field": "Microsoft.DocumentDB/databaseAccounts/Locations[*]", + "where": { + "value": "[replace(toLower(first(field('Microsoft.DocumentDB/databaseAccounts/Locations[*].locationName'))), ' ', '')]", + "in": "[parameters('listOfAllowedLocations')]" + } + }, + "notEquals": "[length(field('Microsoft.DocumentDB/databaseAccounts/Locations[*]'))]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} diff --git a/policyDefinitions/cosmos-db/pol-audit-deny-cdb-minimum-tls-version.json b/policyDefinitions/cosmos-db/pol-audit-deny-cdb-minimum-tls-version.json new file mode 100644 index 0000000..ac2d6ca --- /dev/null +++ b/policyDefinitions/cosmos-db/pol-audit-deny-cdb-minimum-tls-version.json @@ -0,0 +1,69 @@ +{ + "name": "pol-audit-deny-cdb-minimum-tls-version", + "properties": { + "displayName": "Azure Cosmos DB accounts should have a minimum TLS version", + "description": "Ensure that your Azure Cosmos DB accounts are configured to use a minimum TLS version to enhance security.", + "metadata": { + "category": "Cosmos DB", + "version": "1.0.0", + "preview": false, + "deprecated": false + }, + "mode": "Indexed", + "parameters": { + "minimalTlsVersion": { + "type": "String", + "metadata": { + "displayName": "Minimum TLS Version", + "description": "Minimum version of TLS required for Cosmos DB" + }, + "allowedValues": [ + "Tls10", + "Tls11", + "Tls12" + ], + "defaultValue": "Tls12" + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DocumentDB/databaseAccounts" + }, + { + "not": { + "field": "Microsoft.DocumentDB/databaseAccounts/minimalTlsVersion", + "equals": "[parameters('minimalTlsVersion')]" + } + }, + { + "anyOf":[ + { + "value": "[replace(field('Microsoft.DocumentDB/databaseAccounts/minimalTlsVersion'),'Tls', '')]", + "less": "[replace(parameters('minimalTlsVersion'),'Tls','')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} diff --git a/policyInitiatives/polset-cosmos-db.json b/policyInitiatives/polset-cosmos-db.json index 185d5ed..85a000f 100644 --- a/policyInitiatives/polset-cosmos-db.json +++ b/policyInitiatives/polset-cosmos-db.json @@ -77,9 +77,69 @@ "Disabled" ], "defaultValue": "Deny" + }, + "COSMOS-006_Effect": { + "type": "String", + "metadata": { + "displayName": "COSMOS-006 Effect: Restrict Cosmos DB Minimum TLS Version", + "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "COSMOS-006_minimalTlsVersion": { + "type": "String", + "metadata": { + "displayName": "COSMOS-006: Minimum TLS Version", + "description": "Minimum version of TLS required for Cosmos DB" + }, + "allowedValues": [ + "Tls10", + "Tls11", + "Tls12" + ], + "defaultValue": "Tls12" + }, + "COSMOS-007_Effect": { + "type": "String", + "metadata": { + "displayName": "COSMOS-007 Effect: Restrict Cosmos DB Locations", + "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "COSMOS-007_listOfAllowedLocations": { + "type": "Array", + "metadata": { + "displayName": "COSMOS-007: Allowed locations", + "description": "The list of locations that can be specified when deploying Azure Cosmos DB resources.", + "strongType": "location" + }, + "defaultValue": [ + "australiaeast", + "australiasoutheast" + ] } }, "policyDefinitionGroups": [ + { + "name": "ISO27001-2013_A.8.2.3", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.8.2.3" + }, + { + "name": "ISO27001-2013_A.10.1.1", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.10.1.1" + }, + { "name": "ISO27001-2013_A.12.3.1", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.12.3.1" @@ -88,6 +148,14 @@ "name": "ISO27001-2013_A.13.1.3", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.13.1.3" }, + { + "name": "ISO27001-2013_A.14.1.2", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.14.1.2" + }, + { + "name": "ISO27001-2013_A.15.1.2", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.15.1.2" + }, { "name": "ISO27001-2013_A.17.1.1", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.17.1.1" @@ -95,6 +163,10 @@ { "name": "ISO27001-2013_A.17.1.2", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.17.1.2" + }, + { + "name": "ISO27001-2013_A.18.1.1", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.18.1.1" }, { "name": "CB-AZ-011" @@ -165,6 +237,39 @@ "ISO27001-2013_A.17.1.1", "ISO27001-2013_A.17.1.2" ] + }, + { + "policyDefinitionReferenceId": "COSMOS-006", + "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-audit-deny-cdb-minimum-tls-version", + "parameters": { + "effect": { + "value": "[parameters('COSMOS-006_Effect')]" + }, + "minimalTlsVersion": { + "value": "[parameters('COSMOS-006_minimalTlsVersion')]" + } + }, + "groupNames": [ + "ISO27001-2013_A.8.2.3", + "ISO27001-2013_A.10.1.1", + "ISO27001-2013_A.14.1.2" + ] + }, + { + "policyDefinitionReferenceId": "COSMOS-007", + "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-audit-deny-cdb-allowed-locations", + "parameters": { + "effect": { + "value": "[parameters('COSMOS-007_Effect')]" + }, + "listOfAllowedLocations": { + "value": "[parameters('COSMOS-007_listOfAllowedLocations')]" + } + }, + "groupNames": [ + "ISO27001-2013_A.18.1.1", + "ISO27001-2013_A.15.1.2" + ] } ] } diff --git a/policyInitiatives/polset-monitor.json b/policyInitiatives/polset-monitor.json index bb0d0bf..34e1ef3 100644 --- a/policyInitiatives/polset-monitor.json +++ b/policyInitiatives/polset-monitor.json @@ -1,7 +1,7 @@ { "name": "polset-monitor", "properties": { - "displayName": "CONTOSO - Azure Monitor Policy Initiative", + "displayName": "Azure Monitor Policy Initiative", "description": "This initiative includes policies that address the security controls for Azure Monitor.", "metadata": { "category": "Azure Monitor", From 2b9508de314905837441202625293b558779ad45 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Thu, 23 Apr 2026 16:36:27 +1000 Subject: [PATCH 05/46] Refactor diagnostic settings policies to use parameterized log and metric enabling - Updated multiple diagnostic settings JSON files to replace hardcoded values for logs and metrics enabling with parameters. - Introduced a new parameter `DS-008_LogsToEnable` to specify which logs should be enabled. - Modified existence conditions to check for the count of enabled logs under the category group "allLogs". - Ensured consistency across various resource types in the policy definitions for better maintainability and flexibility. Co-authored-by: Copilot --- policyAssignments/dev/pa-d-diag-settings.json | 6 ++ .../prod/pa-p-diag-settings.json | 6 ++ .../pol-deploy-diag-aa.json | 20 +++++- .../pol-deploy-diag-aci.json | 2 +- .../pol-deploy-diag-acr.json | 6 +- .../pol-deploy-diag-aks.json | 4 +- .../pol-deploy-diag-analysisService.json | 20 +++++- .../pol-deploy-diag-apim.json | 20 +++++- .../pol-deploy-diag-appGW.json | 20 +++++- .../pol-deploy-diag-appInsights.json | 72 +++++++++---------- .../pol-deploy-diag-ase.json | 2 +- .../pol-deploy-diag-batch.json | 20 +++++- .../pol-deploy-diag-cdnEndpoints.json | 18 ++++- .../pol-deploy-diag-cdnProfiles.json | 20 +++++- .../pol-deploy-diag-cognitive.json | 24 +++++-- .../pol-deploy-diag-cognitiveProjects.json | 20 +++++- .../pol-deploy-diag-cosmosDB.json | 20 +++++- .../pol-deploy-diag-dataFactory.json | 22 ++++-- .../pol-deploy-diag-databricks.json | 20 +++++- .../pol-deploy-diag-dlanalytics.json | 20 +++++- .../pol-deploy-diag-dlstore.json | 20 +++++- .../pol-deploy-diag-eventGridSub.json | 2 +- .../pol-deploy-diag-eventGridSystemTopic.json | 20 +++++- .../pol-deploy-diag-eventGridTopic.json | 24 +++++-- .../pol-deploy-diag-eventhub.json | 24 +++++-- .../pol-deploy-diag-expressRoutes.json | 20 +++++- .../pol-deploy-diag-firewall.json | 20 +++++- .../pol-deploy-diag-frontDoor.json | 20 +++++- .../pol-deploy-diag-function.json | 4 +- .../pol-deploy-diag-hdInsight.json | 2 +- .../pol-deploy-diag-iothub.json | 24 +++++-- .../pol-deploy-diag-kv.json | 24 +++++-- .../pol-deploy-diag-la.json | 26 ++++--- .../pol-deploy-diag-lb.json | 20 +++++- ...loy-diag-logicAppsIntegrationAccounts.json | 20 +++++- .../pol-deploy-diag-logicAppsWorkflow.json | 20 +++++- .../pol-deploy-diag-mariaDB.json | 20 +++++- .../pol-deploy-diag-mlworkspace.json | 24 +++++-- .../pol-deploy-diag-mySql.json | 20 +++++- .../pol-deploy-diag-nic.json | 2 +- .../pol-deploy-diag-nsg.json | 20 +++++- .../pol-deploy-diag-pip.json | 24 +++++-- .../pol-deploy-diag-postgreSQL.json | 24 +++++-- .../pol-deploy-diag-powerBIEmbedded.json | 20 +++++- .../pol-deploy-diag-redisCache.json | 24 +++++-- .../pol-deploy-diag-relay.json | 20 +++++- .../pol-deploy-diag-rsv.json | 20 +++++- .../pol-deploy-diag-searchService.json | 20 +++++- .../pol-deploy-diag-serviceBus.json | 24 +++++-- .../pol-deploy-diag-signalR.json | 20 +++++- .../pol-deploy-diag-sqlDBs.json | 24 +++++-- .../pol-deploy-diag-sqlElasticPools.json | 2 +- .../pol-deploy-diag-sqlMi.json | 18 ++++- .../pol-deploy-diag-sqlMiDBs.json | 18 ++++- .../pol-deploy-diag-storageAccount.json | 44 ++---------- .../pol-deploy-diag-streamAnalyticsJobs.json | 20 +++++- .../pol-deploy-diag-sub.json | 2 +- .../pol-deploy-diag-synapseAnalytics.json | 2 +- .../pol-deploy-diag-timeSeriesInsights.json | 20 +++++- .../pol-deploy-diag-trafficManager.json | 20 +++++- .../pol-deploy-diag-vnet.json | 20 +++++- .../pol-deploy-diag-vnetGW.json | 26 ++++--- .../pol-deploy-diag-vpnGW.json | 20 +++++- .../pol-deploy-diag-webServerFarm.json | 2 +- .../pol-deploy-diag-website.json | 4 +- policyInitiatives/polset-diag-settings.json | 15 +++- 66 files changed, 900 insertions(+), 291 deletions(-) diff --git a/policyAssignments/dev/pa-d-diag-settings.json b/policyAssignments/dev/pa-d-diag-settings.json index 60a67ec..1c2e8e9 100644 --- a/policyAssignments/dev/pa-d-diag-settings.json +++ b/policyAssignments/dev/pa-d-diag-settings.json @@ -43,6 +43,12 @@ "DS-008_Effect": { "value": "DeployIfNotExists" }, + "DS-008_LogsToEnable": { + "value": [ + "AppSystemEvents", + "OTelResources" + ] + }, "DS-009_Effect": { "value": "DeployIfNotExists" }, diff --git a/policyAssignments/prod/pa-p-diag-settings.json b/policyAssignments/prod/pa-p-diag-settings.json index 65b4d34..dfbed36 100644 --- a/policyAssignments/prod/pa-p-diag-settings.json +++ b/policyAssignments/prod/pa-p-diag-settings.json @@ -43,6 +43,12 @@ "DS-008_Effect": { "value": "DeployIfNotExists" }, + "DS-008_LogsToEnable": { + "value": [ + "AppSystemEvents", + "OTelResources" + ] + }, "DS-009_Effect": { "value": "DeployIfNotExists" }, diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-aa.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-aa.json index d71e161..fe34589 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-aa.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-aa.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-aci.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-aci.json index dbf6c7b..3bbab6e 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-aci.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-aci.json @@ -79,7 +79,7 @@ "allOf": [ { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-acr.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-acr.json index e2036f0..1ceb5ed 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-acr.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-acr.json @@ -100,13 +100,17 @@ }, { "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", - "equals": "true" + "equals": "[parameters('logsEnabled')]" } ] } }, "equals": 1 }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", "matchInsensitively": "[parameters('logAnalytics')]" diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-aks.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-aks.json index 6d5e5b7..7f9c54d 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-aks.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-aks.json @@ -103,11 +103,11 @@ "allOf": [ { "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "equals": "[parameters('logsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-analysisService.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-analysisService.json index 2c81eb1..c7efc82 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-analysisService.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-analysisService.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-apim.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-apim.json index 6744068..4c0b052 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-apim.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-apim.json @@ -102,12 +102,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-appGW.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-appGW.json index 2b14de6..f411eab 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-appGW.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-appGW.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-appInsights.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-appInsights.json index 3c569c7..de6fc1a 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-appInsights.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-appInsights.json @@ -1,7 +1,7 @@ { - "name": "pol-deploy-diag-appInsights", + "name": "pol-deploy-diag-appins-law-contoso-poc", "properties": { - "displayName": "Deploy the diagnostic settings for AppInsights to Log Analytics workspace", + "displayName": "Configure Diagnostic Settings for AppInsights to Log Analytics workspace", "description": "This policy automatically deploys and enable diagnostic settings to Log Analytics", "metadata": { "category": "Logging and monitoring", @@ -39,15 +39,6 @@ ], "defaultValue": "DeployIfNotExists" }, - "logAnalytics": { - "type": "string", - "metadata": { - "displayName": "Log Analytics workspace", - "description": "Select the Log Analytics workspace from dropdown list", - "strongType": "omsWorkspace", - "assignPermissions": true - } - }, "metricsEnabled": { "type": "string", "metadata": { @@ -60,17 +51,16 @@ ], "defaultValue": "True" }, - "logsEnabled": { - "type": "string", + "logsToEnable": { + "type": "array", "metadata": { - "displayName": "Enable logs", - "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + "displayName": "Logs to be enable", + "description": "Diagnostic logs to be enabled" }, - "allowedValues": [ - "True", - "False" - ], - "defaultValue": "True" + "defaultValue": [ + "AppSystemEvents", + "OTelResources" + ] } }, "policyRule": { @@ -90,16 +80,22 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].category", + "in": "[parameters('logsToEnable')]" + } + }, + "equals": "[length(parameters('logsToEnable'))]" }, { - "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "field": "Microsoft.Insights/diagnosticSettings/metrics[*].enabled", + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", - "matchInsensitively": "[parameters('logAnalytics')]" + "matchInsensitively": "[field('Microsoft.Insights/Components/WorkspaceResourceId')]" } ] }, @@ -116,14 +112,11 @@ "resourceName": { "type": "string" }, - "logAnalytics": { - "type": "string" - }, "metricsEnabled": { "type": "string" }, - "logsEnabled": { - "type": "string" + "logsToEnable": { + "type": "array" }, "location": { "type": "string" @@ -138,7 +131,7 @@ "location": "[parameters('location')]", "dependsOn": [], "properties": { - "workspaceId": "[parameters('logAnalytics')]", + "workspaceId": "[reference(resourceId('Microsoft.Insights/Components', parameters('resourceName')), '2020-02-02', 'Full').properties.WorkspaceResourceId]", "metrics": [ { "category": "AllMetrics", @@ -150,10 +143,14 @@ "timeGrain": null } ], - "logs": [ + "copy": [ { - "categoryGroup": "allLogs", - "enabled": "[parameters('logsEnabled')]" + "name": "logs", + "count": "[length(parameters('logsToEnable'))]", + "input": { + "category": "[parameters('logsToEnable')[copyIndex('logs')]]", + "enabled": "True" + } } ] } @@ -165,14 +162,11 @@ "profileName": { "value": "[parameters('profileName')]" }, - "logAnalytics": { - "value": "[parameters('logAnalytics')]" - }, "metricsEnabled": { "value": "[parameters('metricsEnabled')]" }, - "logsEnabled": { - "value": "[parameters('logsEnabled')]" + "logsToEnable": { + "value": "[parameters('logsToEnable')]" }, "location": { "value": "[field('location')]" diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-ase.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-ase.json index 56f19d1..dd37c1b 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-ase.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-ase.json @@ -79,7 +79,7 @@ "allOf": [ { "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "equals": "[parameters('logsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-batch.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-batch.json index 1a8135f..53a68fd 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-batch.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-batch.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-cdnEndpoints.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-cdnEndpoints.json index 05675f7..09abfc4 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-cdnEndpoints.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-cdnEndpoints.json @@ -78,8 +78,22 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-cdnProfiles.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-cdnProfiles.json index 732d711..0ea8ec7 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-cdnProfiles.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-cdnProfiles.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-cognitive.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-cognitive.json index ce16ad1..1b9575e 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-cognitive.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-cognitive.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", @@ -154,10 +168,6 @@ { "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" - }, - { - "categoryGroup": "audit", - "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-cognitiveProjects.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-cognitiveProjects.json index dba5f22..a40f627 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-cognitiveProjects.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-cognitiveProjects.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-cosmosDB.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-cosmosDB.json index d6246a6..dcc18b6 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-cosmosDB.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-cosmosDB.json @@ -102,12 +102,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-dataFactory.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-dataFactory.json index 6d30698..01db3c6 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-dataFactory.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-dataFactory.json @@ -101,13 +101,27 @@ ], "existenceCondition": { "allOf": [ - { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-databricks.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-databricks.json index 6bf3b92..cf6426b 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-databricks.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-databricks.json @@ -85,9 +85,23 @@ ], "existenceCondition": { "allOf": [ - { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" +{ + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-dlanalytics.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-dlanalytics.json index 7a26033..0aaebb2 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-dlanalytics.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-dlanalytics.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-dlstore.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-dlstore.json index 9b62ebd..dc88449 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-dlstore.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-dlstore.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-eventGridSub.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-eventGridSub.json index fe8ba57..d7ddcf7 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-eventGridSub.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-eventGridSub.json @@ -79,7 +79,7 @@ "allOf": [ { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-eventGridSystemTopic.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-eventGridSystemTopic.json index fa93e56..b168b47 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-eventGridSystemTopic.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-eventGridSystemTopic.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-eventGridTopic.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-eventGridTopic.json index 1109f43..3c2b83e 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-eventGridTopic.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-eventGridTopic.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", @@ -154,10 +168,6 @@ { "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" - }, - { - "categoryGroup": "audit", - "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-eventhub.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-eventhub.json index bf6a481..a39a539 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-eventhub.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-eventhub.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", @@ -154,10 +168,6 @@ { "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" - }, - { - "categoryGroup": "audit", - "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-expressRoutes.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-expressRoutes.json index 58aca43..18b0bbf 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-expressRoutes.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-expressRoutes.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-firewall.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-firewall.json index 0868bc0..a18a12b 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-firewall.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-firewall.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-frontDoor.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-frontDoor.json index 768ebe3..7390d73 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-frontDoor.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-frontDoor.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-function.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-function.json index fe3d1cb..73a8389 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-function.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-function.json @@ -120,7 +120,7 @@ }, { "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", - "equals": "true" + "equals": "[parameters('logsEnabled')]" } ] } @@ -129,7 +129,7 @@ }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-hdInsight.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-hdInsight.json index 231c227..296b0a7 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-hdInsight.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-hdInsight.json @@ -79,7 +79,7 @@ "allOf": [ { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-iothub.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-iothub.json index e19b60c..0170bfc 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-iothub.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-iothub.json @@ -102,12 +102,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", @@ -172,10 +186,6 @@ { "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" - }, - { - "categoryGroup": "audit", - "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-kv.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-kv.json index 503b536..ca49909 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-kv.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-kv.json @@ -102,12 +102,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", @@ -172,10 +186,6 @@ { "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" - }, - { - "categoryGroup": "audit", - "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-la.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-la.json index db08e79..e98fb85 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-la.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-la.json @@ -89,13 +89,27 @@ ], "existenceCondition": { "allOf": [ - { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" +{ + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", @@ -154,10 +168,6 @@ { "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" - }, - { - "categoryGroup": "audit", - "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-lb.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-lb.json index c63c989..744315e 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-lb.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-lb.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-logicAppsIntegrationAccounts.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-logicAppsIntegrationAccounts.json index 0309586..a1fe214 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-logicAppsIntegrationAccounts.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-logicAppsIntegrationAccounts.json @@ -77,9 +77,23 @@ ], "existenceCondition": { "allOf": [ - { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" +{ + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-logicAppsWorkflow.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-logicAppsWorkflow.json index 9685af2..8c776fb 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-logicAppsWorkflow.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-logicAppsWorkflow.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-mariaDB.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-mariaDB.json index 0b689da..22182d0 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-mariaDB.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-mariaDB.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-mlworkspace.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-mlworkspace.json index f9f7c6c..b7df0ff 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-mlworkspace.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-mlworkspace.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", @@ -154,10 +168,6 @@ { "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" - }, - { - "categoryGroup": "audit", - "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-mySql.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-mySql.json index 99e9f6f..4d8858f 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-mySql.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-mySql.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-nic.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-nic.json index 73f5f1c..d68daea 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-nic.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-nic.json @@ -79,7 +79,7 @@ "allOf": [ { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-nsg.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-nsg.json index 4d81fd3..31c822d 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-nsg.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-nsg.json @@ -77,9 +77,23 @@ ], "existenceCondition": { "allOf": [ - { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-pip.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-pip.json index 56022db..a15da40 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-pip.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-pip.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", @@ -154,10 +168,6 @@ { "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" - }, - { - "categoryGroup": "audit", - "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-postgreSQL.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-postgreSQL.json index 26b0710..d6c2e75 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-postgreSQL.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-postgreSQL.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", @@ -154,10 +168,6 @@ { "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" - }, - { - "categoryGroup": "audit", - "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-powerBIEmbedded.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-powerBIEmbedded.json index 9062096..4c72504 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-powerBIEmbedded.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-powerBIEmbedded.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-redisCache.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-redisCache.json index 2b1025f..ab1998f 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-redisCache.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-redisCache.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", @@ -154,10 +168,6 @@ { "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" - }, - { - "categoryGroup": "audit", - "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-relay.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-relay.json index 7128e00..204869c 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-relay.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-relay.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-rsv.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-rsv.json index 1c12ae6..322cfbf 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-rsv.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-rsv.json @@ -102,12 +102,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-searchService.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-searchService.json index 23f156e..543b256 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-searchService.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-searchService.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-serviceBus.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-serviceBus.json index 7e2a107..9102a43 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-serviceBus.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-serviceBus.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", @@ -154,10 +168,6 @@ { "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" - }, - { - "categoryGroup": "audit", - "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-signalR.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-signalR.json index 2d79274..2cae50e 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-signalR.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-signalR.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-sqlDBs.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-sqlDBs.json index 9e93bc1..ab85fb8 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-sqlDBs.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-sqlDBs.json @@ -98,12 +98,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", @@ -180,10 +194,6 @@ { "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" - }, - { - "categoryGroup": "audit", - "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-sqlElasticPools.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-sqlElasticPools.json index 17de2ae..e562dba 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-sqlElasticPools.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-sqlElasticPools.json @@ -79,7 +79,7 @@ "allOf": [ { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-sqlMi.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-sqlMi.json index 9d2852a..be33921 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-sqlMi.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-sqlMi.json @@ -78,8 +78,22 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-sqlMiDBs.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-sqlMiDBs.json index 61be7ca..8f345ac 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-sqlMiDBs.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-sqlMiDBs.json @@ -78,8 +78,22 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-storageAccount.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-storageAccount.json index 8079de5..36ae7ad 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-storageAccount.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-storageAccount.json @@ -91,11 +91,11 @@ "allOf": [ { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "equals": "[parameters('logsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", @@ -152,15 +152,7 @@ ], "logs": [ { - "category": "StorageRead", - "enabled": "[parameters('logsEnabled')]" - }, - { - "category": "StorageWrite", - "enabled": "[parameters('logsEnabled')]" - }, - { - "category": "StorageDelete", + "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" } ] @@ -187,15 +179,7 @@ ], "logs": [ { - "category": "StorageRead", - "enabled": "[parameters('logsEnabled')]" - }, - { - "category": "StorageWrite", - "enabled": "[parameters('logsEnabled')]" - }, - { - "category": "StorageDelete", + "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" } ] @@ -222,15 +206,7 @@ ], "logs": [ { - "category": "StorageRead", - "enabled": "[parameters('logsEnabled')]" - }, - { - "category": "StorageWrite", - "enabled": "[parameters('logsEnabled')]" - }, - { - "category": "StorageDelete", + "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" } ] @@ -257,15 +233,7 @@ ], "logs": [ { - "category": "StorageRead", - "enabled": "[parameters('logsEnabled')]" - }, - { - "category": "StorageWrite", - "enabled": "[parameters('logsEnabled')]" - }, - { - "category": "StorageDelete", + "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" } ] diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-streamAnalyticsJobs.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-streamAnalyticsJobs.json index 9c73530..7b7d502 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-streamAnalyticsJobs.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-streamAnalyticsJobs.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-sub.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-sub.json index d52a96a..a092cde 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-sub.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-sub.json @@ -81,7 +81,7 @@ "allOf": [ { "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "equals": "[parameters('logsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-synapseAnalytics.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-synapseAnalytics.json index fe2a4f3..754aa40 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-synapseAnalytics.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-synapseAnalytics.json @@ -79,7 +79,7 @@ "allOf": [ { "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "equals": "[parameters('logsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-timeSeriesInsights.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-timeSeriesInsights.json index 4fd6e7f..5c5ad6b 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-timeSeriesInsights.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-timeSeriesInsights.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-trafficManager.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-trafficManager.json index 2320ee2..56edd5c 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-trafficManager.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-trafficManager.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-vnet.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-vnet.json index 6b6e660..3a1ef23 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-vnet.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-vnet.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-vnetGW.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-vnetGW.json index 40a4547..3253794 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-vnetGW.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-vnetGW.json @@ -89,13 +89,27 @@ ], "existenceCondition": { "allOf": [ - { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" +{ + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", @@ -154,10 +168,6 @@ { "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" - }, - { - "categoryGroup": "audit", - "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-vpnGW.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-vpnGW.json index 169e7e5..0c02559 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-vpnGW.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-vpnGW.json @@ -90,12 +90,26 @@ "existenceCondition": { "allOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "True" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-webServerFarm.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-webServerFarm.json index e909b3b..5ef86ce 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-webServerFarm.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-webServerFarm.json @@ -79,7 +79,7 @@ "allOf": [ { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-website.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-website.json index c273bd9..9187d42 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-website.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-website.json @@ -120,7 +120,7 @@ }, { "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", - "equals": "true" + "equals": "[parameters('logsEnabled')]" } ] } @@ -129,7 +129,7 @@ }, { "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "True" + "equals": "[parameters('metricsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", diff --git a/policyInitiatives/polset-diag-settings.json b/policyInitiatives/polset-diag-settings.json index 6d843f8..e7036b7 100644 --- a/policyInitiatives/polset-diag-settings.json +++ b/policyInitiatives/polset-diag-settings.json @@ -130,6 +130,17 @@ ], "defaultValue": "DeployIfNotExists" }, + "DS-008_LogsToEnable": { + "type": "array", + "metadata": { + "displayName": "DS-008 Logs to enable", + "description": "Diagnostic logs to be enabled." + }, + "defaultValue": [ + "AppSystemEvents", + "OTelResources" + ] + }, "DS-009_Effect": { "type": "string", "metadata": { @@ -993,8 +1004,8 @@ "effect": { "value": "[parameters('DS-008_Effect')]" }, - "logAnalytics": { - "value": "[parameters('logAnalytics')]" + "logsToEnable": { + "value": "[parameters('DS-008_LogsToEnable')]" } }, "groupNames": [ From dd489799020db7553fb1a80c7c6b172eb23f94c2 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Thu, 23 Apr 2026 17:00:08 +1000 Subject: [PATCH 06/46] Fix policy name and update display name for AppInsights diagnostic settings deployment --- .../diagnostics-settings/pol-deploy-diag-appInsights.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-appInsights.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-appInsights.json index de6fc1a..ae52725 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-appInsights.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-appInsights.json @@ -1,7 +1,7 @@ { - "name": "pol-deploy-diag-appins-law-contoso-poc", + "name": "pol-deploy-diag-appInsights", "properties": { - "displayName": "Configure Diagnostic Settings for AppInsights to Log Analytics workspace", + "displayName": "Deploy the diagnostic settings for AppInsights to Log Analytics workspace", "description": "This policy automatically deploys and enable diagnostic settings to Log Analytics", "metadata": { "category": "Logging and monitoring", From 00a3a421c30c5d5513d538620ecb811ef8a13826 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Thu, 23 Apr 2026 18:16:52 +1000 Subject: [PATCH 07/46] Refactor Cosmos DB diagnostic settings to consolidate log categories under 'allLogs' --- .../pol-deploy-diag-cosmosDB.json | 34 +------------------ 1 file changed, 1 insertion(+), 33 deletions(-) diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-cosmosDB.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-cosmosDB.json index dcc18b6..e028350 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-cosmosDB.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-cosmosDB.json @@ -184,39 +184,7 @@ ], "logs": [ { - "category": "DataPlaneRequests", - "enabled": "[parameters('logsEnabled')]" - }, - { - "category": "MongoRequests", - "enabled": "[parameters('logsEnabled')]" - }, - { - "category": "QueryRuntimeStatistics", - "enabled": "[parameters('logsEnabled')]" - }, - { - "category": "PartitionKeyStatistics", - "enabled": "[parameters('logsEnabled')]" - }, - { - "category": "PartitionKeyRUConsumption", - "enabled": "[parameters('logsEnabled')]" - }, - { - "category": "ControlPlaneRequests", - "enabled": "[parameters('logsEnabled')]" - }, - { - "category": "CassandraRequests", - "enabled": "[parameters('logsEnabled')]" - }, - { - "category": "GremlinRequests", - "enabled": "[parameters('logsEnabled')]" - }, - { - "category": "TableApiRequests", + "categoryGroup": "allLogs", "enabled": "[parameters('logsEnabled')]" } ] From 1ccc2cb77164322d02f9ee18c630ec7b60ef9f5b Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Fri, 24 Apr 2026 18:04:49 +1000 Subject: [PATCH 08/46] Fix profileName value in diagnostic settings policies for consistency --- policyAssignments/dev/pa-d-diag-settings.json | 2 +- policyAssignments/prod/pa-p-diag-settings.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/policyAssignments/dev/pa-d-diag-settings.json b/policyAssignments/dev/pa-d-diag-settings.json index 1c2e8e9..4b8be20 100644 --- a/policyAssignments/dev/pa-d-diag-settings.json +++ b/policyAssignments/dev/pa-d-diag-settings.json @@ -11,7 +11,7 @@ }, "parameters": { "profileName": { - "value": "setByPolicyLAW" + "value": "setByPolicy" }, "evaluationDelay": { "value": "AfterProvisioning" diff --git a/policyAssignments/prod/pa-p-diag-settings.json b/policyAssignments/prod/pa-p-diag-settings.json index dfbed36..b785913 100644 --- a/policyAssignments/prod/pa-p-diag-settings.json +++ b/policyAssignments/prod/pa-p-diag-settings.json @@ -11,7 +11,7 @@ "identity": "SystemAssigned", "parameters": { "profileName": { - "value": "setByPolicyLAW" + "value": "setByPolicy" }, "evaluationDelay": { "value": "AfterProvisioning" From 2c18b14228f20638d563cf7b2bee1abc3bea00c8 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Fri, 1 May 2026 22:44:26 +1000 Subject: [PATCH 09/46] Update AzPolicyTest module version to 3.0.0 and improve action.yml formatting --- .azuredevops/templates/template-stage-policy-tests.yml | 2 +- .github/ISSUE_TEMPLATE/config.yml | 2 +- .github/actions/templates/test-policy-def/action.yml | 9 ++++++--- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/.azuredevops/templates/template-stage-policy-tests.yml b/.azuredevops/templates/template-stage-policy-tests.yml index 2fc333e..9ade2b0 100644 --- a/.azuredevops/templates/template-stage-policy-tests.yml +++ b/.azuredevops/templates/template-stage-policy-tests.yml @@ -62,7 +62,7 @@ stages: - template: ./template-task-install-ps-modules.yml parameters: displayName: "Install AzPolicyTest Module" - moduleNames: "AzPolicyTest`@2.8.2" + moduleNames: "AzPolicyTest`@3.0.0" shouldInstall: ${{ or(eq(parameters.runPolicyJsonPesterTests, true), eq(parameters.runPolicyInitiativePesterTests, true), eq(parameters.runPolicyDefinitionPesterTests, true)) }} - pwsh: | diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml index 2740ee1..09c86ae 100644 --- a/.github/ISSUE_TEMPLATE/config.yml +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -1,5 +1,5 @@ blank_issues_enabled: false contact_links: - name: Documentation - url: https://github.com/AzPolicyFactory/AzPolicyFactory/tree/main/docs + url: https://github.com/Azure/AzPolicyFactory/tree/main/docs about: Check the documentation before opening an issue diff --git a/.github/actions/templates/test-policy-def/action.yml b/.github/actions/templates/test-policy-def/action.yml index e6cef55..06a4c05 100644 --- a/.github/actions/templates/test-policy-def/action.yml +++ b/.github/actions/templates/test-policy-def/action.yml @@ -1,5 +1,6 @@ name: "Policy Definition Pester Tests" -description: "Runs Pester tests for Azure Policy Definitions, Initiatives, and JSON content using the AzPolicyTest module" +description: "Runs Pester tests for Azure Policy Definitions, Initiatives, and + JSON content using the AzPolicyTest module" author: "Tao Yang" inputs: @@ -41,7 +42,9 @@ runs: using: "composite" steps: - name: Install AzPolicyTest Module - if: inputs.run-policy-json-pester-tests == 'true' || inputs.run-policy-initiative-pester-tests == 'true' || inputs.run-policy-definition-pester-tests == 'true' + if: inputs.run-policy-json-pester-tests == 'true' || + inputs.run-policy-initiative-pester-tests == 'true' || + inputs.run-policy-definition-pester-tests == 'true' shell: pwsh env: INPUT_WORKSPACE_DIRECTORY: ${{ github.workspace }} @@ -50,7 +53,7 @@ runs: Write-Output '::group::Install AzPolicyTest Module' $scriptPath = "$env:INPUT_WORKSPACE_DIRECTORY/scripts/pipelines/pipeline-install-moduleFromRepo.ps1" & $scriptPath ` - -modules 'AzPolicyTest@2.8.2' ` + -modules 'AzPolicyTest@3.0.0' ` -repoName 'PSGallery' ` -maxRetry 3 ` -allowPrerelease 'false' From c9fb532b92e5d8e9d7a641f5d33d49e48ed24cf8 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sat, 2 May 2026 00:05:08 +1000 Subject: [PATCH 10/46] Update AzPolicyTest module version to 3.1.0 in pipeline templates --- .azuredevops/templates/template-stage-policy-tests.yml | 2 +- .github/actions/templates/test-policy-def/action.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.azuredevops/templates/template-stage-policy-tests.yml b/.azuredevops/templates/template-stage-policy-tests.yml index 9ade2b0..efbba6b 100644 --- a/.azuredevops/templates/template-stage-policy-tests.yml +++ b/.azuredevops/templates/template-stage-policy-tests.yml @@ -62,7 +62,7 @@ stages: - template: ./template-task-install-ps-modules.yml parameters: displayName: "Install AzPolicyTest Module" - moduleNames: "AzPolicyTest`@3.0.0" + moduleNames: "AzPolicyTest`@3.1.0" shouldInstall: ${{ or(eq(parameters.runPolicyJsonPesterTests, true), eq(parameters.runPolicyInitiativePesterTests, true), eq(parameters.runPolicyDefinitionPesterTests, true)) }} - pwsh: | diff --git a/.github/actions/templates/test-policy-def/action.yml b/.github/actions/templates/test-policy-def/action.yml index 06a4c05..b8ecfab 100644 --- a/.github/actions/templates/test-policy-def/action.yml +++ b/.github/actions/templates/test-policy-def/action.yml @@ -53,7 +53,7 @@ runs: Write-Output '::group::Install AzPolicyTest Module' $scriptPath = "$env:INPUT_WORKSPACE_DIRECTORY/scripts/pipelines/pipeline-install-moduleFromRepo.ps1" & $scriptPath ` - -modules 'AzPolicyTest@3.0.0' ` + -modules 'AzPolicyTest@3.1.0' ` -repoName 'PSGallery' ` -maxRetry 3 ` -allowPrerelease 'false' From f89adb7f890e68cdee6e8faf2999328fec2fe845 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sat, 2 May 2026 10:59:51 +1000 Subject: [PATCH 11/46] Update policy assignment and definition resources to use 2026-01-01-preview API version --- .../authorization/policy-assignment/management-group/main.bicep | 2 +- .../authorization/policy-assignment/resource-group/main.bicep | 2 +- .../authorization/policy-assignment/subscription/main.bicep | 2 +- .../authorization/policy-definition/management-group/main.bicep | 2 +- .../authorization/policy-definition/subscription/main.bicep | 2 +- .../authorization/policy-exemption/management-group/main.bicep | 2 +- .../authorization/policy-exemption/resource-group/main.bicep | 2 +- .../authorization/policy-exemption/subscription/main.bicep | 2 +- .../policy-set-definition/management-group/main.bicep | 2 +- .../authorization/policy-set-definition/subscription/main.bicep | 2 +- .../action-groups/pol-ag-deny-external-email-notification.json | 1 + 11 files changed, 11 insertions(+), 10 deletions(-) diff --git a/bicep/modules/authorization/policy-assignment/management-group/main.bicep b/bicep/modules/authorization/policy-assignment/management-group/main.bicep index 60f14af..83c6436 100644 --- a/bicep/modules/authorization/policy-assignment/management-group/main.bicep +++ b/bicep/modules/authorization/policy-assignment/management-group/main.bicep @@ -32,7 +32,7 @@ var identityVar = policyAssignment.?identity == 'SystemAssigned' } : null -resource assignment 'Microsoft.Authorization/policyAssignments@2025-03-01' = { +resource assignment 'Microsoft.Authorization/policyAssignments@2026-01-01-preview' = { name: policyAssignment.name location: location properties: { diff --git a/bicep/modules/authorization/policy-assignment/resource-group/main.bicep b/bicep/modules/authorization/policy-assignment/resource-group/main.bicep index 63b2225..ecd051b 100644 --- a/bicep/modules/authorization/policy-assignment/resource-group/main.bicep +++ b/bicep/modules/authorization/policy-assignment/resource-group/main.bicep @@ -35,7 +35,7 @@ var identityVar = policyAssignment.?identity == 'SystemAssigned' } : null -resource assignment 'Microsoft.Authorization/policyAssignments@2025-03-01' = { +resource assignment 'Microsoft.Authorization/policyAssignments@2026-01-01-preview' = { name: policyAssignment.name location: location properties: { diff --git a/bicep/modules/authorization/policy-assignment/subscription/main.bicep b/bicep/modules/authorization/policy-assignment/subscription/main.bicep index 7a6e704..8fd3770 100644 --- a/bicep/modules/authorization/policy-assignment/subscription/main.bicep +++ b/bicep/modules/authorization/policy-assignment/subscription/main.bicep @@ -31,7 +31,7 @@ var identityVar = policyAssignment.?identity == 'SystemAssigned' } : null -resource assignment 'Microsoft.Authorization/policyAssignments@2025-03-01' = { +resource assignment 'Microsoft.Authorization/policyAssignments@2026-01-01-preview' = { name: policyAssignment.name location: location properties: { diff --git a/bicep/modules/authorization/policy-definition/management-group/main.bicep b/bicep/modules/authorization/policy-definition/management-group/main.bicep index b37653e..993c538 100755 --- a/bicep/modules/authorization/policy-definition/management-group/main.bicep +++ b/bicep/modules/authorization/policy-definition/management-group/main.bicep @@ -16,7 +16,7 @@ var additionalMetadata = { } @batchSize(15) -resource policies 'Microsoft.Authorization/policyDefinitions@2025-03-01' = [ +resource policies 'Microsoft.Authorization/policyDefinitions@2026-01-01-preview' = [ for policyDefinition in policyDefinitions: { name: policyDefinition.name properties: { diff --git a/bicep/modules/authorization/policy-definition/subscription/main.bicep b/bicep/modules/authorization/policy-definition/subscription/main.bicep index 061f787..d1fcdeb 100755 --- a/bicep/modules/authorization/policy-definition/subscription/main.bicep +++ b/bicep/modules/authorization/policy-definition/subscription/main.bicep @@ -17,7 +17,7 @@ var additionalMetadata = { } @batchSize(15) -resource policies 'Microsoft.Authorization/policyDefinitions@2025-03-01' = [ +resource policies 'Microsoft.Authorization/policyDefinitions@2026-01-01-preview' = [ for policyDefinition in policyDefinitions: { name: policyDefinition.name properties: { diff --git a/bicep/modules/authorization/policy-exemption/management-group/main.bicep b/bicep/modules/authorization/policy-exemption/management-group/main.bicep index 7201f60..614d873 100644 --- a/bicep/modules/authorization/policy-exemption/management-group/main.bicep +++ b/bicep/modules/authorization/policy-exemption/management-group/main.bicep @@ -13,7 +13,7 @@ var additionalMetadata = union(policyExemption.?metadata ?? {}, { hidden_vml_version: loadJsonContent('./version.json').version }) -resource exemption 'Microsoft.Authorization/policyExemptions@2024-12-01-preview' = { +resource exemption 'Microsoft.Authorization/policyExemptions@2026-01-01-preview' = { name: policyExemption.name properties: { displayName: policyExemption.?displayName diff --git a/bicep/modules/authorization/policy-exemption/resource-group/main.bicep b/bicep/modules/authorization/policy-exemption/resource-group/main.bicep index 81106d6..ffae6f8 100644 --- a/bicep/modules/authorization/policy-exemption/resource-group/main.bicep +++ b/bicep/modules/authorization/policy-exemption/resource-group/main.bicep @@ -13,7 +13,7 @@ var additionalMetadata = union(policyExemption.?metadata ?? {}, { hidden_vml_version: loadJsonContent('./version.json').version }) -resource exemption 'Microsoft.Authorization/policyExemptions@2024-12-01-preview' = { +resource exemption 'Microsoft.Authorization/policyExemptions@2026-01-01-preview' = { name: policyExemption.name properties: { displayName: policyExemption.?displayName diff --git a/bicep/modules/authorization/policy-exemption/subscription/main.bicep b/bicep/modules/authorization/policy-exemption/subscription/main.bicep index d7bb9f0..7731319 100644 --- a/bicep/modules/authorization/policy-exemption/subscription/main.bicep +++ b/bicep/modules/authorization/policy-exemption/subscription/main.bicep @@ -13,7 +13,7 @@ var additionalMetadata = union(policyExemption.?metadata ?? {}, { hidden_vml_version: loadJsonContent('./version.json').version }) -resource exemption 'Microsoft.Authorization/policyExemptions@2024-12-01-preview' = { +resource exemption 'Microsoft.Authorization/policyExemptions@2026-01-01-preview' = { name: policyExemption.name properties: { displayName: policyExemption.?displayName diff --git a/bicep/modules/authorization/policy-set-definition/management-group/main.bicep b/bicep/modules/authorization/policy-set-definition/management-group/main.bicep index e07c63b..ad7f6cb 100644 --- a/bicep/modules/authorization/policy-set-definition/management-group/main.bicep +++ b/bicep/modules/authorization/policy-set-definition/management-group/main.bicep @@ -16,7 +16,7 @@ var additionalMetadata = { } @batchSize(15) -resource policySets 'Microsoft.Authorization/policySetDefinitions@2025-03-01' = [ +resource policySets 'Microsoft.Authorization/policySetDefinitions@2026-01-01-preview' = [ for policySetDefinition in policySetDefinitions: { name: policySetDefinition.name properties: { diff --git a/bicep/modules/authorization/policy-set-definition/subscription/main.bicep b/bicep/modules/authorization/policy-set-definition/subscription/main.bicep index b3aee94..d04e42b 100644 --- a/bicep/modules/authorization/policy-set-definition/subscription/main.bicep +++ b/bicep/modules/authorization/policy-set-definition/subscription/main.bicep @@ -16,7 +16,7 @@ var additionalMetadata = { } @batchSize(15) -resource policySets 'Microsoft.Authorization/policySetDefinitions@2025-03-01' = [ +resource policySets 'Microsoft.Authorization/policySetDefinitions@2026-01-01-preview' = [ for policySetDefinition in policySetDefinitions: { name: policySetDefinition.name properties: { diff --git a/policyDefinitions/action-groups/pol-ag-deny-external-email-notification.json b/policyDefinitions/action-groups/pol-ag-deny-external-email-notification.json index e19341b..29ec305 100644 --- a/policyDefinitions/action-groups/pol-ag-deny-external-email-notification.json +++ b/policyDefinitions/action-groups/pol-ag-deny-external-email-notification.json @@ -10,6 +10,7 @@ "deprecated": false }, "mode": "Indexed", + "version": "1.0.0", "parameters": { "effect": { "type": "string", From a0f51e36abe64840657762fe7dc00c849a0c0695 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sat, 2 May 2026 11:15:44 +1000 Subject: [PATCH 12/46] Update policy assignment, definition, exemption, and set definition resources to use 2025-12-01-preview API version --- .../authorization/policy-assignment/management-group/main.bicep | 2 +- .../authorization/policy-assignment/resource-group/main.bicep | 2 +- .../authorization/policy-assignment/subscription/main.bicep | 2 +- .../authorization/policy-definition/management-group/main.bicep | 2 +- .../authorization/policy-definition/subscription/main.bicep | 2 +- .../authorization/policy-exemption/management-group/main.bicep | 2 +- .../authorization/policy-exemption/resource-group/main.bicep | 2 +- .../authorization/policy-exemption/subscription/main.bicep | 2 +- .../policy-set-definition/management-group/main.bicep | 2 +- .../authorization/policy-set-definition/subscription/main.bicep | 2 +- tests/policy-integration-tests/postgresql/main.bad.bicep | 2 +- tests/policy-integration-tests/postgresql/main.good.bicep | 2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/bicep/modules/authorization/policy-assignment/management-group/main.bicep b/bicep/modules/authorization/policy-assignment/management-group/main.bicep index 83c6436..53e1dc9 100644 --- a/bicep/modules/authorization/policy-assignment/management-group/main.bicep +++ b/bicep/modules/authorization/policy-assignment/management-group/main.bicep @@ -32,7 +32,7 @@ var identityVar = policyAssignment.?identity == 'SystemAssigned' } : null -resource assignment 'Microsoft.Authorization/policyAssignments@2026-01-01-preview' = { +resource assignment 'Microsoft.Authorization/policyAssignments@2025-12-01-preview' = { name: policyAssignment.name location: location properties: { diff --git a/bicep/modules/authorization/policy-assignment/resource-group/main.bicep b/bicep/modules/authorization/policy-assignment/resource-group/main.bicep index ecd051b..9598849 100644 --- a/bicep/modules/authorization/policy-assignment/resource-group/main.bicep +++ b/bicep/modules/authorization/policy-assignment/resource-group/main.bicep @@ -35,7 +35,7 @@ var identityVar = policyAssignment.?identity == 'SystemAssigned' } : null -resource assignment 'Microsoft.Authorization/policyAssignments@2026-01-01-preview' = { +resource assignment 'Microsoft.Authorization/policyAssignments@2025-12-01-preview' = { name: policyAssignment.name location: location properties: { diff --git a/bicep/modules/authorization/policy-assignment/subscription/main.bicep b/bicep/modules/authorization/policy-assignment/subscription/main.bicep index 8fd3770..5b315d3 100644 --- a/bicep/modules/authorization/policy-assignment/subscription/main.bicep +++ b/bicep/modules/authorization/policy-assignment/subscription/main.bicep @@ -31,7 +31,7 @@ var identityVar = policyAssignment.?identity == 'SystemAssigned' } : null -resource assignment 'Microsoft.Authorization/policyAssignments@2026-01-01-preview' = { +resource assignment 'Microsoft.Authorization/policyAssignments@2025-12-01-preview' = { name: policyAssignment.name location: location properties: { diff --git a/bicep/modules/authorization/policy-definition/management-group/main.bicep b/bicep/modules/authorization/policy-definition/management-group/main.bicep index 993c538..53291bd 100755 --- a/bicep/modules/authorization/policy-definition/management-group/main.bicep +++ b/bicep/modules/authorization/policy-definition/management-group/main.bicep @@ -16,7 +16,7 @@ var additionalMetadata = { } @batchSize(15) -resource policies 'Microsoft.Authorization/policyDefinitions@2026-01-01-preview' = [ +resource policies 'Microsoft.Authorization/policyDefinitions@2025-12-01-preview' = [ for policyDefinition in policyDefinitions: { name: policyDefinition.name properties: { diff --git a/bicep/modules/authorization/policy-definition/subscription/main.bicep b/bicep/modules/authorization/policy-definition/subscription/main.bicep index d1fcdeb..5f79426 100755 --- a/bicep/modules/authorization/policy-definition/subscription/main.bicep +++ b/bicep/modules/authorization/policy-definition/subscription/main.bicep @@ -17,7 +17,7 @@ var additionalMetadata = { } @batchSize(15) -resource policies 'Microsoft.Authorization/policyDefinitions@2026-01-01-preview' = [ +resource policies 'Microsoft.Authorization/policyDefinitions@2025-12-01-preview' = [ for policyDefinition in policyDefinitions: { name: policyDefinition.name properties: { diff --git a/bicep/modules/authorization/policy-exemption/management-group/main.bicep b/bicep/modules/authorization/policy-exemption/management-group/main.bicep index 614d873..d12b595 100644 --- a/bicep/modules/authorization/policy-exemption/management-group/main.bicep +++ b/bicep/modules/authorization/policy-exemption/management-group/main.bicep @@ -13,7 +13,7 @@ var additionalMetadata = union(policyExemption.?metadata ?? {}, { hidden_vml_version: loadJsonContent('./version.json').version }) -resource exemption 'Microsoft.Authorization/policyExemptions@2026-01-01-preview' = { +resource exemption 'Microsoft.Authorization/policyExemptions@2025-12-01-preview' = { name: policyExemption.name properties: { displayName: policyExemption.?displayName diff --git a/bicep/modules/authorization/policy-exemption/resource-group/main.bicep b/bicep/modules/authorization/policy-exemption/resource-group/main.bicep index ffae6f8..7b9d09b 100644 --- a/bicep/modules/authorization/policy-exemption/resource-group/main.bicep +++ b/bicep/modules/authorization/policy-exemption/resource-group/main.bicep @@ -13,7 +13,7 @@ var additionalMetadata = union(policyExemption.?metadata ?? {}, { hidden_vml_version: loadJsonContent('./version.json').version }) -resource exemption 'Microsoft.Authorization/policyExemptions@2026-01-01-preview' = { +resource exemption 'Microsoft.Authorization/policyExemptions@2025-12-01-preview' = { name: policyExemption.name properties: { displayName: policyExemption.?displayName diff --git a/bicep/modules/authorization/policy-exemption/subscription/main.bicep b/bicep/modules/authorization/policy-exemption/subscription/main.bicep index 7731319..6df61d2 100644 --- a/bicep/modules/authorization/policy-exemption/subscription/main.bicep +++ b/bicep/modules/authorization/policy-exemption/subscription/main.bicep @@ -13,7 +13,7 @@ var additionalMetadata = union(policyExemption.?metadata ?? {}, { hidden_vml_version: loadJsonContent('./version.json').version }) -resource exemption 'Microsoft.Authorization/policyExemptions@2026-01-01-preview' = { +resource exemption 'Microsoft.Authorization/policyExemptions@2025-12-01-preview' = { name: policyExemption.name properties: { displayName: policyExemption.?displayName diff --git a/bicep/modules/authorization/policy-set-definition/management-group/main.bicep b/bicep/modules/authorization/policy-set-definition/management-group/main.bicep index ad7f6cb..1c9afd4 100644 --- a/bicep/modules/authorization/policy-set-definition/management-group/main.bicep +++ b/bicep/modules/authorization/policy-set-definition/management-group/main.bicep @@ -16,7 +16,7 @@ var additionalMetadata = { } @batchSize(15) -resource policySets 'Microsoft.Authorization/policySetDefinitions@2026-01-01-preview' = [ +resource policySets 'Microsoft.Authorization/policySetDefinitions@2025-12-01-preview' = [ for policySetDefinition in policySetDefinitions: { name: policySetDefinition.name properties: { diff --git a/bicep/modules/authorization/policy-set-definition/subscription/main.bicep b/bicep/modules/authorization/policy-set-definition/subscription/main.bicep index d04e42b..0f327db 100644 --- a/bicep/modules/authorization/policy-set-definition/subscription/main.bicep +++ b/bicep/modules/authorization/policy-set-definition/subscription/main.bicep @@ -16,7 +16,7 @@ var additionalMetadata = { } @batchSize(15) -resource policySets 'Microsoft.Authorization/policySetDefinitions@2026-01-01-preview' = [ +resource policySets 'Microsoft.Authorization/policySetDefinitions@2025-12-01-preview' = [ for policySetDefinition in policySetDefinitions: { name: policySetDefinition.name properties: { diff --git a/tests/policy-integration-tests/postgresql/main.bad.bicep b/tests/policy-integration-tests/postgresql/main.bad.bicep index 96e3488..bad93db 100644 --- a/tests/policy-integration-tests/postgresql/main.bad.bicep +++ b/tests/policy-integration-tests/postgresql/main.bad.bicep @@ -113,7 +113,7 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2025-05-01' = { } } -resource postgresql 'Microsoft.DBforPostgreSQL/flexibleServers@2026-01-01-preview' = { +resource postgresql 'Microsoft.DBforPostgreSQL/flexibleServers@2025-12-01-preview' = { name: postgreSqlName location: location sku: { diff --git a/tests/policy-integration-tests/postgresql/main.good.bicep b/tests/policy-integration-tests/postgresql/main.good.bicep index 5fcc587..f326f09 100644 --- a/tests/policy-integration-tests/postgresql/main.good.bicep +++ b/tests/policy-integration-tests/postgresql/main.good.bicep @@ -110,7 +110,7 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2025-05-01' = { } } -resource postgresql 'Microsoft.DBforPostgreSQL/flexibleServers@2026-01-01-preview' = { +resource postgresql 'Microsoft.DBforPostgreSQL/flexibleServers@2025-12-01-preview' = { name: postgreSqlName location: location sku: { From 25c649be7338268a11526ff4ddb2a9116256af15 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sat, 2 May 2026 11:31:25 +1000 Subject: [PATCH 13/46] Update policy module versions to 3.1.0 and set action group policy versions to 1.0.0 --- .../policy-assignment/management-group/version.json | 2 +- .../authorization/policy-assignment/resource-group/version.json | 2 +- .../authorization/policy-assignment/subscription/version.json | 2 +- bicep/modules/authorization/policy-assignment/version.json | 2 +- .../policy-definition/management-group/version.json | 2 +- .../authorization/policy-definition/subscription/version.json | 2 +- bicep/modules/authorization/policy-definition/version.json | 2 +- .../policy-exemption/management-group/version.json | 2 +- .../authorization/policy-exemption/resource-group/version.json | 2 +- .../authorization/policy-exemption/subscription/version.json | 2 +- bicep/modules/authorization/policy-exemption/version.json | 2 +- .../policy-set-definition/management-group/version.json | 2 +- .../policy-set-definition/subscription/version.json | 2 +- bicep/modules/authorization/policy-set-definition/version.json | 2 +- policyDefinitions/action-groups/pol-ag-deny-http-webhooks.json | 1 + .../pol-ag-deny-unauthorized-azure-automation-actions.json | 1 + .../pol-ag-deny-unauthorized-event-hub-actions.json | 1 + .../pol-ag-deny-unauthorized-function-app-actions.json | 1 + .../pol-ag-deny-unauthorized-logic-app-actions.json | 1 + .../pol-ag-deny-unauthorized-sms-notification-country-code.json | 1 + .../action-groups/pol-ag-deny-unauthorized-webhooks.json | 1 + .../azure-sql/pol-audit-deny-sql-server-aad-auth.json | 1 + .../azure-sql/pol-audit-deny-sql-server-public-endpoint.json | 1 + .../azure-sql/pol-audit-deny-sql-server-tls-version.json | 1 + .../azure-sql/pol-audit-sql-advanced-data-security.json | 1 + .../azure-sql/pol-audit-sql-server-private-endpoint.json | 1 + policyDefinitions/azure-sql/pol-audit-sql-vuln-assessment.json | 1 + .../azure-sql/pol-deploy-sql-database-auditing-settings.json | 1 + policyDefinitions/azure-sql/pol-deploy-sql-tde.json | 1 + 29 files changed, 29 insertions(+), 14 deletions(-) diff --git a/bicep/modules/authorization/policy-assignment/management-group/version.json b/bicep/modules/authorization/policy-assignment/management-group/version.json index 733a20f..941b8d8 100644 --- a/bicep/modules/authorization/policy-assignment/management-group/version.json +++ b/bicep/modules/authorization/policy-assignment/management-group/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "3.0.0", + "version": "3.1.0", "pathFilters": [ "./main.json" ] diff --git a/bicep/modules/authorization/policy-assignment/resource-group/version.json b/bicep/modules/authorization/policy-assignment/resource-group/version.json index 733a20f..941b8d8 100644 --- a/bicep/modules/authorization/policy-assignment/resource-group/version.json +++ b/bicep/modules/authorization/policy-assignment/resource-group/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "3.0.0", + "version": "3.1.0", "pathFilters": [ "./main.json" ] diff --git a/bicep/modules/authorization/policy-assignment/subscription/version.json b/bicep/modules/authorization/policy-assignment/subscription/version.json index 733a20f..941b8d8 100644 --- a/bicep/modules/authorization/policy-assignment/subscription/version.json +++ b/bicep/modules/authorization/policy-assignment/subscription/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "3.0.0", + "version": "3.1.0", "pathFilters": [ "./main.json" ] diff --git a/bicep/modules/authorization/policy-assignment/version.json b/bicep/modules/authorization/policy-assignment/version.json index 84ae65e..37bba59 100644 --- a/bicep/modules/authorization/policy-assignment/version.json +++ b/bicep/modules/authorization/policy-assignment/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "3.0.0", + "version": "3.1.0", "pathFilters": [ "./main.json" ] diff --git a/bicep/modules/authorization/policy-definition/management-group/version.json b/bicep/modules/authorization/policy-definition/management-group/version.json index 84ae65e..37bba59 100755 --- a/bicep/modules/authorization/policy-definition/management-group/version.json +++ b/bicep/modules/authorization/policy-definition/management-group/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "3.0.0", + "version": "3.1.0", "pathFilters": [ "./main.json" ] diff --git a/bicep/modules/authorization/policy-definition/subscription/version.json b/bicep/modules/authorization/policy-definition/subscription/version.json index 84ae65e..37bba59 100755 --- a/bicep/modules/authorization/policy-definition/subscription/version.json +++ b/bicep/modules/authorization/policy-definition/subscription/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "3.0.0", + "version": "3.1.0", "pathFilters": [ "./main.json" ] diff --git a/bicep/modules/authorization/policy-definition/version.json b/bicep/modules/authorization/policy-definition/version.json index 733a20f..941b8d8 100755 --- a/bicep/modules/authorization/policy-definition/version.json +++ b/bicep/modules/authorization/policy-definition/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "3.0.0", + "version": "3.1.0", "pathFilters": [ "./main.json" ] diff --git a/bicep/modules/authorization/policy-exemption/management-group/version.json b/bicep/modules/authorization/policy-exemption/management-group/version.json index df8ea65..179b0b5 100644 --- a/bicep/modules/authorization/policy-exemption/management-group/version.json +++ b/bicep/modules/authorization/policy-exemption/management-group/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.1", + "version": "3.1.0", "pathFilters": [ "./main.json" ] diff --git a/bicep/modules/authorization/policy-exemption/resource-group/version.json b/bicep/modules/authorization/policy-exemption/resource-group/version.json index df8ea65..179b0b5 100644 --- a/bicep/modules/authorization/policy-exemption/resource-group/version.json +++ b/bicep/modules/authorization/policy-exemption/resource-group/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.1", + "version": "3.1.0", "pathFilters": [ "./main.json" ] diff --git a/bicep/modules/authorization/policy-exemption/subscription/version.json b/bicep/modules/authorization/policy-exemption/subscription/version.json index df8ea65..179b0b5 100644 --- a/bicep/modules/authorization/policy-exemption/subscription/version.json +++ b/bicep/modules/authorization/policy-exemption/subscription/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.1", + "version": "3.1.0", "pathFilters": [ "./main.json" ] diff --git a/bicep/modules/authorization/policy-exemption/version.json b/bicep/modules/authorization/policy-exemption/version.json index 79ac594..941b8d8 100644 --- a/bicep/modules/authorization/policy-exemption/version.json +++ b/bicep/modules/authorization/policy-exemption/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "1.0.0", + "version": "3.1.0", "pathFilters": [ "./main.json" ] diff --git a/bicep/modules/authorization/policy-set-definition/management-group/version.json b/bicep/modules/authorization/policy-set-definition/management-group/version.json index 733a20f..941b8d8 100644 --- a/bicep/modules/authorization/policy-set-definition/management-group/version.json +++ b/bicep/modules/authorization/policy-set-definition/management-group/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "3.0.0", + "version": "3.1.0", "pathFilters": [ "./main.json" ] diff --git a/bicep/modules/authorization/policy-set-definition/subscription/version.json b/bicep/modules/authorization/policy-set-definition/subscription/version.json index 733a20f..941b8d8 100755 --- a/bicep/modules/authorization/policy-set-definition/subscription/version.json +++ b/bicep/modules/authorization/policy-set-definition/subscription/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "3.0.0", + "version": "3.1.0", "pathFilters": [ "./main.json" ] diff --git a/bicep/modules/authorization/policy-set-definition/version.json b/bicep/modules/authorization/policy-set-definition/version.json index 733a20f..941b8d8 100755 --- a/bicep/modules/authorization/policy-set-definition/version.json +++ b/bicep/modules/authorization/policy-set-definition/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "3.0.0", + "version": "3.1.0", "pathFilters": [ "./main.json" ] diff --git a/policyDefinitions/action-groups/pol-ag-deny-http-webhooks.json b/policyDefinitions/action-groups/pol-ag-deny-http-webhooks.json index f48406f..52fcb99 100644 --- a/policyDefinitions/action-groups/pol-ag-deny-http-webhooks.json +++ b/policyDefinitions/action-groups/pol-ag-deny-http-webhooks.json @@ -10,6 +10,7 @@ "deprecated": false }, "mode": "Indexed", + "version": "1.0.0", "parameters": { "effect": { "type": "string", diff --git a/policyDefinitions/action-groups/pol-ag-deny-unauthorized-azure-automation-actions.json b/policyDefinitions/action-groups/pol-ag-deny-unauthorized-azure-automation-actions.json index 1275a2d..e6aae06 100644 --- a/policyDefinitions/action-groups/pol-ag-deny-unauthorized-azure-automation-actions.json +++ b/policyDefinitions/action-groups/pol-ag-deny-unauthorized-azure-automation-actions.json @@ -10,6 +10,7 @@ "deprecated": false }, "mode": "Indexed", + "version": "1.0.0", "parameters": { "effect": { "type": "string", diff --git a/policyDefinitions/action-groups/pol-ag-deny-unauthorized-event-hub-actions.json b/policyDefinitions/action-groups/pol-ag-deny-unauthorized-event-hub-actions.json index 3dfd75e..31d0e87 100644 --- a/policyDefinitions/action-groups/pol-ag-deny-unauthorized-event-hub-actions.json +++ b/policyDefinitions/action-groups/pol-ag-deny-unauthorized-event-hub-actions.json @@ -10,6 +10,7 @@ "deprecated": false }, "mode": "Indexed", + "version": "1.0.0", "parameters": { "effect": { "type": "string", diff --git a/policyDefinitions/action-groups/pol-ag-deny-unauthorized-function-app-actions.json b/policyDefinitions/action-groups/pol-ag-deny-unauthorized-function-app-actions.json index b9fa6df..934ea40 100644 --- a/policyDefinitions/action-groups/pol-ag-deny-unauthorized-function-app-actions.json +++ b/policyDefinitions/action-groups/pol-ag-deny-unauthorized-function-app-actions.json @@ -10,6 +10,7 @@ "deprecated": false }, "mode": "Indexed", + "version": "1.0.0", "parameters": { "effect": { "type": "string", diff --git a/policyDefinitions/action-groups/pol-ag-deny-unauthorized-logic-app-actions.json b/policyDefinitions/action-groups/pol-ag-deny-unauthorized-logic-app-actions.json index 5dfb8b9..f7463be 100644 --- a/policyDefinitions/action-groups/pol-ag-deny-unauthorized-logic-app-actions.json +++ b/policyDefinitions/action-groups/pol-ag-deny-unauthorized-logic-app-actions.json @@ -10,6 +10,7 @@ "deprecated": false }, "mode": "Indexed", + "version": "1.0.0", "parameters": { "effect": { "type": "string", diff --git a/policyDefinitions/action-groups/pol-ag-deny-unauthorized-sms-notification-country-code.json b/policyDefinitions/action-groups/pol-ag-deny-unauthorized-sms-notification-country-code.json index b841847..5c9292a 100644 --- a/policyDefinitions/action-groups/pol-ag-deny-unauthorized-sms-notification-country-code.json +++ b/policyDefinitions/action-groups/pol-ag-deny-unauthorized-sms-notification-country-code.json @@ -10,6 +10,7 @@ "depreciated": false }, "mode": "Indexed", + "version": "1.0.0", "parameters": { "effect": { "type": "string", diff --git a/policyDefinitions/action-groups/pol-ag-deny-unauthorized-webhooks.json b/policyDefinitions/action-groups/pol-ag-deny-unauthorized-webhooks.json index 46b3025..6c8495e 100644 --- a/policyDefinitions/action-groups/pol-ag-deny-unauthorized-webhooks.json +++ b/policyDefinitions/action-groups/pol-ag-deny-unauthorized-webhooks.json @@ -10,6 +10,7 @@ "deprecated": false }, "mode": "Indexed", + "version": "1.0.0", "parameters": { "effect": { "type": "string", diff --git a/policyDefinitions/azure-sql/pol-audit-deny-sql-server-aad-auth.json b/policyDefinitions/azure-sql/pol-audit-deny-sql-server-aad-auth.json index afdfbc0..bdf813a 100644 --- a/policyDefinitions/azure-sql/pol-audit-deny-sql-server-aad-auth.json +++ b/policyDefinitions/azure-sql/pol-audit-deny-sql-server-aad-auth.json @@ -11,6 +11,7 @@ "source_builtIn_name": "abda6d70-9778-44e7-84a8-06713e6db027" }, "mode": "Indexed", + "version": "1.0.0", "parameters": { "effect": { "type": "String", diff --git a/policyDefinitions/azure-sql/pol-audit-deny-sql-server-public-endpoint.json b/policyDefinitions/azure-sql/pol-audit-deny-sql-server-public-endpoint.json index c6e4f3c..9f90eab 100644 --- a/policyDefinitions/azure-sql/pol-audit-deny-sql-server-public-endpoint.json +++ b/policyDefinitions/azure-sql/pol-audit-deny-sql-server-public-endpoint.json @@ -11,6 +11,7 @@ "source_builtIn_name": "1b8ca024-1d5c-4dec-8995-b1a932b41780" }, "mode": "Indexed", + "version": "1.1.0", "parameters": { "effect": { "type": "String", diff --git a/policyDefinitions/azure-sql/pol-audit-deny-sql-server-tls-version.json b/policyDefinitions/azure-sql/pol-audit-deny-sql-server-tls-version.json index 0fc835d..2deaffe 100644 --- a/policyDefinitions/azure-sql/pol-audit-deny-sql-server-tls-version.json +++ b/policyDefinitions/azure-sql/pol-audit-deny-sql-server-tls-version.json @@ -11,6 +11,7 @@ "source_builtIn_name": "32e6bbec-16b6-44c2-be37-c5b672d103cf" }, "mode": "Indexed", + "version": "2.0.0", "parameters": { "effect": { "type": "string", diff --git a/policyDefinitions/azure-sql/pol-audit-sql-advanced-data-security.json b/policyDefinitions/azure-sql/pol-audit-sql-advanced-data-security.json index f059533..e9364dc 100644 --- a/policyDefinitions/azure-sql/pol-audit-sql-advanced-data-security.json +++ b/policyDefinitions/azure-sql/pol-audit-sql-advanced-data-security.json @@ -11,6 +11,7 @@ "source_builtIn_name": "abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9" }, "mode": "Indexed", + "version": "2.0.1", "parameters": { "effect": { "type": "string", diff --git a/policyDefinitions/azure-sql/pol-audit-sql-server-private-endpoint.json b/policyDefinitions/azure-sql/pol-audit-sql-server-private-endpoint.json index 485d015..de003db 100644 --- a/policyDefinitions/azure-sql/pol-audit-sql-server-private-endpoint.json +++ b/policyDefinitions/azure-sql/pol-audit-sql-server-private-endpoint.json @@ -11,6 +11,7 @@ "source_builtIn_name": "7698e800-9299-47a6-b3b6-5a0fee576eed" }, "mode": "Indexed", + "version": "1.1.0", "parameters": { "effect": { "type": "string", diff --git a/policyDefinitions/azure-sql/pol-audit-sql-vuln-assessment.json b/policyDefinitions/azure-sql/pol-audit-sql-vuln-assessment.json index 81fa169..c6597f0 100644 --- a/policyDefinitions/azure-sql/pol-audit-sql-vuln-assessment.json +++ b/policyDefinitions/azure-sql/pol-audit-sql-vuln-assessment.json @@ -11,6 +11,7 @@ "source_builtIn_name": "ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9" }, "mode": "Indexed", + "version": "2.0.0", "parameters": { "effect": { "type": "string", diff --git a/policyDefinitions/azure-sql/pol-deploy-sql-database-auditing-settings.json b/policyDefinitions/azure-sql/pol-deploy-sql-database-auditing-settings.json index 873fdbb..104b677 100644 --- a/policyDefinitions/azure-sql/pol-deploy-sql-database-auditing-settings.json +++ b/policyDefinitions/azure-sql/pol-deploy-sql-database-auditing-settings.json @@ -10,6 +10,7 @@ "deprecated": false }, "mode": "All", + "version": "1.0.0", "parameters": { "auditActionsAndGroups": { "type": "array", diff --git a/policyDefinitions/azure-sql/pol-deploy-sql-tde.json b/policyDefinitions/azure-sql/pol-deploy-sql-tde.json index eaa780d..b531145 100644 --- a/policyDefinitions/azure-sql/pol-deploy-sql-tde.json +++ b/policyDefinitions/azure-sql/pol-deploy-sql-tde.json @@ -11,6 +11,7 @@ "source_builtIn_name": "86a912f6-9a06-4e26-b447-11b16ba8659f" }, "mode": "Indexed", + "version": "2.1.0", "parameters": { "effect": { "type": "string", From cfdb5ba9037328c35601c6951cede6ede48c2847 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sat, 2 May 2026 12:41:05 +1000 Subject: [PATCH 14/46] Remove version property from multiple policy definition files --- .../action-groups/pol-ag-deny-external-email-notification.json | 1 - policyDefinitions/action-groups/pol-ag-deny-http-webhooks.json | 1 - .../pol-ag-deny-unauthorized-azure-automation-actions.json | 1 - .../pol-ag-deny-unauthorized-event-hub-actions.json | 1 - .../pol-ag-deny-unauthorized-function-app-actions.json | 1 - .../pol-ag-deny-unauthorized-logic-app-actions.json | 1 - .../pol-ag-deny-unauthorized-sms-notification-country-code.json | 1 - .../action-groups/pol-ag-deny-unauthorized-webhooks.json | 1 - .../azure-sql/pol-audit-deny-sql-server-aad-auth.json | 1 - .../azure-sql/pol-audit-deny-sql-server-public-endpoint.json | 1 - .../azure-sql/pol-audit-deny-sql-server-tls-version.json | 1 - .../azure-sql/pol-audit-sql-advanced-data-security.json | 1 - .../azure-sql/pol-audit-sql-server-private-endpoint.json | 1 - policyDefinitions/azure-sql/pol-audit-sql-vuln-assessment.json | 1 - .../azure-sql/pol-deploy-sql-database-auditing-settings.json | 1 - policyDefinitions/azure-sql/pol-deploy-sql-tde.json | 1 - 16 files changed, 16 deletions(-) diff --git a/policyDefinitions/action-groups/pol-ag-deny-external-email-notification.json b/policyDefinitions/action-groups/pol-ag-deny-external-email-notification.json index 29ec305..e19341b 100644 --- a/policyDefinitions/action-groups/pol-ag-deny-external-email-notification.json +++ b/policyDefinitions/action-groups/pol-ag-deny-external-email-notification.json @@ -10,7 +10,6 @@ "deprecated": false }, "mode": "Indexed", - "version": "1.0.0", "parameters": { "effect": { "type": "string", diff --git a/policyDefinitions/action-groups/pol-ag-deny-http-webhooks.json b/policyDefinitions/action-groups/pol-ag-deny-http-webhooks.json index 52fcb99..f48406f 100644 --- a/policyDefinitions/action-groups/pol-ag-deny-http-webhooks.json +++ b/policyDefinitions/action-groups/pol-ag-deny-http-webhooks.json @@ -10,7 +10,6 @@ "deprecated": false }, "mode": "Indexed", - "version": "1.0.0", "parameters": { "effect": { "type": "string", diff --git a/policyDefinitions/action-groups/pol-ag-deny-unauthorized-azure-automation-actions.json b/policyDefinitions/action-groups/pol-ag-deny-unauthorized-azure-automation-actions.json index e6aae06..1275a2d 100644 --- a/policyDefinitions/action-groups/pol-ag-deny-unauthorized-azure-automation-actions.json +++ b/policyDefinitions/action-groups/pol-ag-deny-unauthorized-azure-automation-actions.json @@ -10,7 +10,6 @@ "deprecated": false }, "mode": "Indexed", - "version": "1.0.0", "parameters": { "effect": { "type": "string", diff --git a/policyDefinitions/action-groups/pol-ag-deny-unauthorized-event-hub-actions.json b/policyDefinitions/action-groups/pol-ag-deny-unauthorized-event-hub-actions.json index 31d0e87..3dfd75e 100644 --- a/policyDefinitions/action-groups/pol-ag-deny-unauthorized-event-hub-actions.json +++ b/policyDefinitions/action-groups/pol-ag-deny-unauthorized-event-hub-actions.json @@ -10,7 +10,6 @@ "deprecated": false }, "mode": "Indexed", - "version": "1.0.0", "parameters": { "effect": { "type": "string", diff --git a/policyDefinitions/action-groups/pol-ag-deny-unauthorized-function-app-actions.json b/policyDefinitions/action-groups/pol-ag-deny-unauthorized-function-app-actions.json index 934ea40..b9fa6df 100644 --- a/policyDefinitions/action-groups/pol-ag-deny-unauthorized-function-app-actions.json +++ b/policyDefinitions/action-groups/pol-ag-deny-unauthorized-function-app-actions.json @@ -10,7 +10,6 @@ "deprecated": false }, "mode": "Indexed", - "version": "1.0.0", "parameters": { "effect": { "type": "string", diff --git a/policyDefinitions/action-groups/pol-ag-deny-unauthorized-logic-app-actions.json b/policyDefinitions/action-groups/pol-ag-deny-unauthorized-logic-app-actions.json index f7463be..5dfb8b9 100644 --- a/policyDefinitions/action-groups/pol-ag-deny-unauthorized-logic-app-actions.json +++ b/policyDefinitions/action-groups/pol-ag-deny-unauthorized-logic-app-actions.json @@ -10,7 +10,6 @@ "deprecated": false }, "mode": "Indexed", - "version": "1.0.0", "parameters": { "effect": { "type": "string", diff --git a/policyDefinitions/action-groups/pol-ag-deny-unauthorized-sms-notification-country-code.json b/policyDefinitions/action-groups/pol-ag-deny-unauthorized-sms-notification-country-code.json index 5c9292a..b841847 100644 --- a/policyDefinitions/action-groups/pol-ag-deny-unauthorized-sms-notification-country-code.json +++ b/policyDefinitions/action-groups/pol-ag-deny-unauthorized-sms-notification-country-code.json @@ -10,7 +10,6 @@ "depreciated": false }, "mode": "Indexed", - "version": "1.0.0", "parameters": { "effect": { "type": "string", diff --git a/policyDefinitions/action-groups/pol-ag-deny-unauthorized-webhooks.json b/policyDefinitions/action-groups/pol-ag-deny-unauthorized-webhooks.json index 6c8495e..46b3025 100644 --- a/policyDefinitions/action-groups/pol-ag-deny-unauthorized-webhooks.json +++ b/policyDefinitions/action-groups/pol-ag-deny-unauthorized-webhooks.json @@ -10,7 +10,6 @@ "deprecated": false }, "mode": "Indexed", - "version": "1.0.0", "parameters": { "effect": { "type": "string", diff --git a/policyDefinitions/azure-sql/pol-audit-deny-sql-server-aad-auth.json b/policyDefinitions/azure-sql/pol-audit-deny-sql-server-aad-auth.json index bdf813a..afdfbc0 100644 --- a/policyDefinitions/azure-sql/pol-audit-deny-sql-server-aad-auth.json +++ b/policyDefinitions/azure-sql/pol-audit-deny-sql-server-aad-auth.json @@ -11,7 +11,6 @@ "source_builtIn_name": "abda6d70-9778-44e7-84a8-06713e6db027" }, "mode": "Indexed", - "version": "1.0.0", "parameters": { "effect": { "type": "String", diff --git a/policyDefinitions/azure-sql/pol-audit-deny-sql-server-public-endpoint.json b/policyDefinitions/azure-sql/pol-audit-deny-sql-server-public-endpoint.json index 9f90eab..c6e4f3c 100644 --- a/policyDefinitions/azure-sql/pol-audit-deny-sql-server-public-endpoint.json +++ b/policyDefinitions/azure-sql/pol-audit-deny-sql-server-public-endpoint.json @@ -11,7 +11,6 @@ "source_builtIn_name": "1b8ca024-1d5c-4dec-8995-b1a932b41780" }, "mode": "Indexed", - "version": "1.1.0", "parameters": { "effect": { "type": "String", diff --git a/policyDefinitions/azure-sql/pol-audit-deny-sql-server-tls-version.json b/policyDefinitions/azure-sql/pol-audit-deny-sql-server-tls-version.json index 2deaffe..0fc835d 100644 --- a/policyDefinitions/azure-sql/pol-audit-deny-sql-server-tls-version.json +++ b/policyDefinitions/azure-sql/pol-audit-deny-sql-server-tls-version.json @@ -11,7 +11,6 @@ "source_builtIn_name": "32e6bbec-16b6-44c2-be37-c5b672d103cf" }, "mode": "Indexed", - "version": "2.0.0", "parameters": { "effect": { "type": "string", diff --git a/policyDefinitions/azure-sql/pol-audit-sql-advanced-data-security.json b/policyDefinitions/azure-sql/pol-audit-sql-advanced-data-security.json index e9364dc..f059533 100644 --- a/policyDefinitions/azure-sql/pol-audit-sql-advanced-data-security.json +++ b/policyDefinitions/azure-sql/pol-audit-sql-advanced-data-security.json @@ -11,7 +11,6 @@ "source_builtIn_name": "abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9" }, "mode": "Indexed", - "version": "2.0.1", "parameters": { "effect": { "type": "string", diff --git a/policyDefinitions/azure-sql/pol-audit-sql-server-private-endpoint.json b/policyDefinitions/azure-sql/pol-audit-sql-server-private-endpoint.json index de003db..485d015 100644 --- a/policyDefinitions/azure-sql/pol-audit-sql-server-private-endpoint.json +++ b/policyDefinitions/azure-sql/pol-audit-sql-server-private-endpoint.json @@ -11,7 +11,6 @@ "source_builtIn_name": "7698e800-9299-47a6-b3b6-5a0fee576eed" }, "mode": "Indexed", - "version": "1.1.0", "parameters": { "effect": { "type": "string", diff --git a/policyDefinitions/azure-sql/pol-audit-sql-vuln-assessment.json b/policyDefinitions/azure-sql/pol-audit-sql-vuln-assessment.json index c6597f0..81fa169 100644 --- a/policyDefinitions/azure-sql/pol-audit-sql-vuln-assessment.json +++ b/policyDefinitions/azure-sql/pol-audit-sql-vuln-assessment.json @@ -11,7 +11,6 @@ "source_builtIn_name": "ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9" }, "mode": "Indexed", - "version": "2.0.0", "parameters": { "effect": { "type": "string", diff --git a/policyDefinitions/azure-sql/pol-deploy-sql-database-auditing-settings.json b/policyDefinitions/azure-sql/pol-deploy-sql-database-auditing-settings.json index 104b677..873fdbb 100644 --- a/policyDefinitions/azure-sql/pol-deploy-sql-database-auditing-settings.json +++ b/policyDefinitions/azure-sql/pol-deploy-sql-database-auditing-settings.json @@ -10,7 +10,6 @@ "deprecated": false }, "mode": "All", - "version": "1.0.0", "parameters": { "auditActionsAndGroups": { "type": "array", diff --git a/policyDefinitions/azure-sql/pol-deploy-sql-tde.json b/policyDefinitions/azure-sql/pol-deploy-sql-tde.json index b531145..eaa780d 100644 --- a/policyDefinitions/azure-sql/pol-deploy-sql-tde.json +++ b/policyDefinitions/azure-sql/pol-deploy-sql-tde.json @@ -11,7 +11,6 @@ "source_builtIn_name": "86a912f6-9a06-4e26-b447-11b16ba8659f" }, "mode": "Indexed", - "version": "2.1.0", "parameters": { "effect": { "type": "string", From a78ab2a46111c759ba8955c8d388b97dd9f56b3b Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Sat, 2 May 2026 17:53:55 +1000 Subject: [PATCH 15/46] Update AzPolicyTest module version to 3.1.1 in pipeline templates --- .azuredevops/templates/template-stage-policy-tests.yml | 2 +- .github/actions/templates/test-policy-def/action.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.azuredevops/templates/template-stage-policy-tests.yml b/.azuredevops/templates/template-stage-policy-tests.yml index efbba6b..bf842e6 100644 --- a/.azuredevops/templates/template-stage-policy-tests.yml +++ b/.azuredevops/templates/template-stage-policy-tests.yml @@ -62,7 +62,7 @@ stages: - template: ./template-task-install-ps-modules.yml parameters: displayName: "Install AzPolicyTest Module" - moduleNames: "AzPolicyTest`@3.1.0" + moduleNames: "AzPolicyTest`@3.1.1" shouldInstall: ${{ or(eq(parameters.runPolicyJsonPesterTests, true), eq(parameters.runPolicyInitiativePesterTests, true), eq(parameters.runPolicyDefinitionPesterTests, true)) }} - pwsh: | diff --git a/.github/actions/templates/test-policy-def/action.yml b/.github/actions/templates/test-policy-def/action.yml index b8ecfab..445b6f9 100644 --- a/.github/actions/templates/test-policy-def/action.yml +++ b/.github/actions/templates/test-policy-def/action.yml @@ -53,7 +53,7 @@ runs: Write-Output '::group::Install AzPolicyTest Module' $scriptPath = "$env:INPUT_WORKSPACE_DIRECTORY/scripts/pipelines/pipeline-install-moduleFromRepo.ps1" & $scriptPath ` - -modules 'AzPolicyTest@3.1.0' ` + -modules 'AzPolicyTest@3.1.1' ` -repoName 'PSGallery' ` -maxRetry 3 ` -allowPrerelease 'false' From 8b48fa4b321e77271e5708f7a3a8a018d19310cb Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Tue, 5 May 2026 17:46:51 +1000 Subject: [PATCH 16/46] Add PEDNS-016 effect for Cognitive Service Accounts to policy initiative --- policyAssignments/dev/pa-d-pedns.json | 3 ++ policyAssignments/prod/pa-p-pedns.json | 3 ++ policyInitiatives/polset-pedns.json | 41 +++++++++++++++++++++++++- 3 files changed, 46 insertions(+), 1 deletion(-) diff --git a/policyAssignments/dev/pa-d-pedns.json b/policyAssignments/dev/pa-d-pedns.json index 2b8f31f..e5bc3a3 100644 --- a/policyAssignments/dev/pa-d-pedns.json +++ b/policyAssignments/dev/pa-d-pedns.json @@ -55,6 +55,9 @@ "PEDNS-015_Effect": { "value": "DeployIfNotExists" }, + "PEDNS-016_Effect": { + "value": "DeployIfNotExists" + }, "evaluationDelay": { "value": "AfterProvisioning" }, diff --git a/policyAssignments/prod/pa-p-pedns.json b/policyAssignments/prod/pa-p-pedns.json index 7933d6c..50eaa13 100644 --- a/policyAssignments/prod/pa-p-pedns.json +++ b/policyAssignments/prod/pa-p-pedns.json @@ -55,6 +55,9 @@ "PEDNS-015_Effect": { "value": "DeployIfNotExists" }, + "PEDNS-016_Effect": { + "value": "DeployIfNotExists" + }, "evaluationDelay": { "value": "AfterProvisioning" }, diff --git a/policyInitiatives/polset-pedns.json b/policyInitiatives/polset-pedns.json index dc945de..62adee0 100755 --- a/policyInitiatives/polset-pedns.json +++ b/policyInitiatives/polset-pedns.json @@ -179,7 +179,7 @@ "defaultValue": "DeployIfNotExists" }, "PEDNS-015_Effect": { - "type": "String", + "type": "string", "metadata": { "displayName": "PEDNS-015 Effect: App Services slots", "description": "Enable or disable the execution of the policy" @@ -190,6 +190,18 @@ ], "defaultValue": "DeployIfNotExists" }, + "PEDNS-016_Effect": { + "type": "string", + "metadata": { + "displayName": "PEDNS-016 Effect: Cognitive Service Accounts", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, "evaluationDelay": { "type": "string", "metadata": { @@ -581,6 +593,33 @@ "groupNames": [ "ISO27001-2013_A.13.1.3" ] + }, + { + "policyDefinitionReferenceId": "PEDNS-016", + "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-deploy-pe-dns-records-multiple-dns-zones-single-location", + "parameters": { + "effect": { + "value": "[parameters('PEDNS-016_Effect')]" + }, + "evaluationDelay": { + "value": "[parameters('evaluationDelay')]" + }, + "groupId": { + "value": "AzureBackup" + }, + "resourceLocation": { + "value": "australiaeast" + }, + "privateDnsZoneIds": { + "value": "[concat(array(concat(parameters('privateDnsZoneResourceGroup'), '/providers/Microsoft.Network/privateDnsZones/', 'privatelink.cognitiveservices.azure.com')), array(concat(parameters('privateDnsZoneResourceGroup'), '/providers/Microsoft.Network/privateDnsZones/', 'privatelink.openai.azure.com')), array(concat(parameters('privateDnsZoneResourceGroup'), '/providers/Microsoft.Network/privateDnsZones/', 'privatelink.services.ai.azure.com')))]" + }, + "privateLinkServiceResourceType": { + "value": "Microsoft.RecoveryServices/vaults" + } + }, + "groupNames": [ + "ISO27001-2013_A.13.1.3" + ] } ] } From a6883843061bbb5c2f49ea580fb7947e86c5cb82 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Fri, 8 May 2026 14:30:41 +1000 Subject: [PATCH 17/46] Update policy definitions and assignments to use 2026-01-01-preview API version --- .vscode/settings.json | 3 ++- .../management-group/main.bicep | 2 +- .../resource-group/main.bicep | 2 +- .../policy-assignment/subscription/main.bicep | 2 +- .../management-group/main.bicep | 2 +- .../policy-definition/subscription/main.bicep | 2 +- .../management-group/main.bicep | 2 +- .../policy-exemption/resource-group/main.bicep | 2 +- .../policy-exemption/subscription/main.bicep | 2 +- .../management-group/main.bicep | 2 +- .../subscription/main.bicep | 2 +- bicep/templates/policyInitiatives/main.bicep | 1 + .../pol-audit-deny-cbd-allowed-locations.json | 1 - policyInitiatives/polset-cosmos-db.json | 18 ++++++++++++------ 14 files changed, 25 insertions(+), 18 deletions(-) diff --git a/.vscode/settings.json b/.vscode/settings.json index fb1adf3..b1b3fbe 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -54,5 +54,6 @@ "unauthorized", "vnet", "whatif" - ] + ], + "sarif-viewer.connectToGithubCodeScanning": "off" } diff --git a/bicep/modules/authorization/policy-assignment/management-group/main.bicep b/bicep/modules/authorization/policy-assignment/management-group/main.bicep index 53e1dc9..83c6436 100644 --- a/bicep/modules/authorization/policy-assignment/management-group/main.bicep +++ b/bicep/modules/authorization/policy-assignment/management-group/main.bicep @@ -32,7 +32,7 @@ var identityVar = policyAssignment.?identity == 'SystemAssigned' } : null -resource assignment 'Microsoft.Authorization/policyAssignments@2025-12-01-preview' = { +resource assignment 'Microsoft.Authorization/policyAssignments@2026-01-01-preview' = { name: policyAssignment.name location: location properties: { diff --git a/bicep/modules/authorization/policy-assignment/resource-group/main.bicep b/bicep/modules/authorization/policy-assignment/resource-group/main.bicep index 9598849..ecd051b 100644 --- a/bicep/modules/authorization/policy-assignment/resource-group/main.bicep +++ b/bicep/modules/authorization/policy-assignment/resource-group/main.bicep @@ -35,7 +35,7 @@ var identityVar = policyAssignment.?identity == 'SystemAssigned' } : null -resource assignment 'Microsoft.Authorization/policyAssignments@2025-12-01-preview' = { +resource assignment 'Microsoft.Authorization/policyAssignments@2026-01-01-preview' = { name: policyAssignment.name location: location properties: { diff --git a/bicep/modules/authorization/policy-assignment/subscription/main.bicep b/bicep/modules/authorization/policy-assignment/subscription/main.bicep index 5b315d3..8fd3770 100644 --- a/bicep/modules/authorization/policy-assignment/subscription/main.bicep +++ b/bicep/modules/authorization/policy-assignment/subscription/main.bicep @@ -31,7 +31,7 @@ var identityVar = policyAssignment.?identity == 'SystemAssigned' } : null -resource assignment 'Microsoft.Authorization/policyAssignments@2025-12-01-preview' = { +resource assignment 'Microsoft.Authorization/policyAssignments@2026-01-01-preview' = { name: policyAssignment.name location: location properties: { diff --git a/bicep/modules/authorization/policy-definition/management-group/main.bicep b/bicep/modules/authorization/policy-definition/management-group/main.bicep index 53291bd..993c538 100755 --- a/bicep/modules/authorization/policy-definition/management-group/main.bicep +++ b/bicep/modules/authorization/policy-definition/management-group/main.bicep @@ -16,7 +16,7 @@ var additionalMetadata = { } @batchSize(15) -resource policies 'Microsoft.Authorization/policyDefinitions@2025-12-01-preview' = [ +resource policies 'Microsoft.Authorization/policyDefinitions@2026-01-01-preview' = [ for policyDefinition in policyDefinitions: { name: policyDefinition.name properties: { diff --git a/bicep/modules/authorization/policy-definition/subscription/main.bicep b/bicep/modules/authorization/policy-definition/subscription/main.bicep index 5f79426..d1fcdeb 100755 --- a/bicep/modules/authorization/policy-definition/subscription/main.bicep +++ b/bicep/modules/authorization/policy-definition/subscription/main.bicep @@ -17,7 +17,7 @@ var additionalMetadata = { } @batchSize(15) -resource policies 'Microsoft.Authorization/policyDefinitions@2025-12-01-preview' = [ +resource policies 'Microsoft.Authorization/policyDefinitions@2026-01-01-preview' = [ for policyDefinition in policyDefinitions: { name: policyDefinition.name properties: { diff --git a/bicep/modules/authorization/policy-exemption/management-group/main.bicep b/bicep/modules/authorization/policy-exemption/management-group/main.bicep index d12b595..614d873 100644 --- a/bicep/modules/authorization/policy-exemption/management-group/main.bicep +++ b/bicep/modules/authorization/policy-exemption/management-group/main.bicep @@ -13,7 +13,7 @@ var additionalMetadata = union(policyExemption.?metadata ?? {}, { hidden_vml_version: loadJsonContent('./version.json').version }) -resource exemption 'Microsoft.Authorization/policyExemptions@2025-12-01-preview' = { +resource exemption 'Microsoft.Authorization/policyExemptions@2026-01-01-preview' = { name: policyExemption.name properties: { displayName: policyExemption.?displayName diff --git a/bicep/modules/authorization/policy-exemption/resource-group/main.bicep b/bicep/modules/authorization/policy-exemption/resource-group/main.bicep index 7b9d09b..ffae6f8 100644 --- a/bicep/modules/authorization/policy-exemption/resource-group/main.bicep +++ b/bicep/modules/authorization/policy-exemption/resource-group/main.bicep @@ -13,7 +13,7 @@ var additionalMetadata = union(policyExemption.?metadata ?? {}, { hidden_vml_version: loadJsonContent('./version.json').version }) -resource exemption 'Microsoft.Authorization/policyExemptions@2025-12-01-preview' = { +resource exemption 'Microsoft.Authorization/policyExemptions@2026-01-01-preview' = { name: policyExemption.name properties: { displayName: policyExemption.?displayName diff --git a/bicep/modules/authorization/policy-exemption/subscription/main.bicep b/bicep/modules/authorization/policy-exemption/subscription/main.bicep index 6df61d2..7731319 100644 --- a/bicep/modules/authorization/policy-exemption/subscription/main.bicep +++ b/bicep/modules/authorization/policy-exemption/subscription/main.bicep @@ -13,7 +13,7 @@ var additionalMetadata = union(policyExemption.?metadata ?? {}, { hidden_vml_version: loadJsonContent('./version.json').version }) -resource exemption 'Microsoft.Authorization/policyExemptions@2025-12-01-preview' = { +resource exemption 'Microsoft.Authorization/policyExemptions@2026-01-01-preview' = { name: policyExemption.name properties: { displayName: policyExemption.?displayName diff --git a/bicep/modules/authorization/policy-set-definition/management-group/main.bicep b/bicep/modules/authorization/policy-set-definition/management-group/main.bicep index 1c9afd4..ad7f6cb 100644 --- a/bicep/modules/authorization/policy-set-definition/management-group/main.bicep +++ b/bicep/modules/authorization/policy-set-definition/management-group/main.bicep @@ -16,7 +16,7 @@ var additionalMetadata = { } @batchSize(15) -resource policySets 'Microsoft.Authorization/policySetDefinitions@2025-12-01-preview' = [ +resource policySets 'Microsoft.Authorization/policySetDefinitions@2026-01-01-preview' = [ for policySetDefinition in policySetDefinitions: { name: policySetDefinition.name properties: { diff --git a/bicep/modules/authorization/policy-set-definition/subscription/main.bicep b/bicep/modules/authorization/policy-set-definition/subscription/main.bicep index 0f327db..d04e42b 100644 --- a/bicep/modules/authorization/policy-set-definition/subscription/main.bicep +++ b/bicep/modules/authorization/policy-set-definition/subscription/main.bicep @@ -16,7 +16,7 @@ var additionalMetadata = { } @batchSize(15) -resource policySets 'Microsoft.Authorization/policySetDefinitions@2025-12-01-preview' = [ +resource policySets 'Microsoft.Authorization/policySetDefinitions@2026-01-01-preview' = [ for policySetDefinition in policySetDefinitions: { name: policySetDefinition.name properties: { diff --git a/bicep/templates/policyInitiatives/main.bicep b/bicep/templates/policyInitiatives/main.bicep index af37a45..c94ee91 100644 --- a/bicep/templates/policyInitiatives/main.bicep +++ b/bicep/templates/policyInitiatives/main.bicep @@ -27,6 +27,7 @@ var mappedPolicySetDefinitions = map(range(0, length(policySetDefinitions)), i = '{policyLocationResourceId}', managementGroupId ) + definitionVersion: policySetDefinitions[i].properties.policyDefinitions[c].?definitionVersion parameters: policySetDefinitions[i].properties.policyDefinitions[c].?parameters groupNames: policySetDefinitions[i].properties.policyDefinitions[c].?groupNames }) diff --git a/policyDefinitions/cosmos-db/pol-audit-deny-cbd-allowed-locations.json b/policyDefinitions/cosmos-db/pol-audit-deny-cbd-allowed-locations.json index 384a30d..ac51d16 100644 --- a/policyDefinitions/cosmos-db/pol-audit-deny-cbd-allowed-locations.json +++ b/policyDefinitions/cosmos-db/pol-audit-deny-cbd-allowed-locations.json @@ -2,7 +2,6 @@ "name": "pol-audit-deny-cdb-allowed-locations", "properties": { "displayName": "Azure Cosmos DB allowed locations", - "policyType": "BuiltIn", "mode": "Indexed", "description": "This policy enables you to restrict the locations your organization can specify when deploying Azure Cosmos DB resources. Use to enforce your geo-compliance requirements.", "metadata": { diff --git a/policyInitiatives/polset-cosmos-db.json b/policyInitiatives/polset-cosmos-db.json index 85a000f..c886c9a 100644 --- a/policyInitiatives/polset-cosmos-db.json +++ b/policyInitiatives/polset-cosmos-db.json @@ -175,7 +175,8 @@ "policyDefinitions": [ { "policyDefinitionReferenceId": "COSMOS-001", - "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-audit-deny-cdb-local-auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2", + "definitionVersion": "1.1.*", "parameters": { "effect": { "value": "[parameters('COSMOS-001_Effect')]" @@ -189,7 +190,8 @@ }, { "policyDefinitionReferenceId": "COSMOS-002", - "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-audit-deny-cdb-firewall-rule-exists", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb", + "definitionVersion": "2.1.*", "parameters": { "effect": { "value": "[parameters('COSMOS-002_Effect')]" @@ -201,7 +203,8 @@ }, { "policyDefinitionReferenceId": "COSMOS-003", - "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-audit-deny-cdb-disable-public-network-access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a", + "definitionVersion": "1.0.*", "parameters": { "effect": { "value": "[parameters('COSMOS-003_Effect')]" @@ -214,7 +217,8 @@ }, { "policyDefinitionReferenceId": "COSMOS-004", - "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-audit-deny-cdb-encrypt-with-cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f", + "definitionVersion": "1.1.*", "parameters": { "effect": { "value": "[parameters('COSMOS-004_Effect')]" @@ -226,7 +230,8 @@ }, { "policyDefinitionReferenceId": "COSMOS-005", - "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-audit-deny-cdb-key-based-metadata-write", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5", + "definitionVersion": "1.0.*", "parameters": { "effect": { "value": "[parameters('COSMOS-005_Effect')]" @@ -257,7 +262,8 @@ }, { "policyDefinitionReferenceId": "COSMOS-007", - "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-audit-deny-cdb-allowed-locations", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0473574d-2d43-4217-aefe-941fcdf7e684", + "definitionVersion": "1.1.*", "parameters": { "effect": { "value": "[parameters('COSMOS-007_Effect')]" From ff67c20027f2bf5342b6ce3a7ca5b1b79e0cce7d Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Fri, 8 May 2026 14:41:01 +1000 Subject: [PATCH 18/46] Update policy assignments and definitions to use 2025-12-01-preview API version --- .../authorization/policy-assignment/management-group/main.bicep | 2 +- .../authorization/policy-assignment/resource-group/main.bicep | 2 +- .../authorization/policy-assignment/subscription/main.bicep | 2 +- .../authorization/policy-definition/management-group/main.bicep | 2 +- .../authorization/policy-definition/subscription/main.bicep | 2 +- .../authorization/policy-exemption/management-group/main.bicep | 2 +- .../authorization/policy-exemption/resource-group/main.bicep | 2 +- .../authorization/policy-exemption/subscription/main.bicep | 2 +- .../policy-set-definition/management-group/main.bicep | 2 +- .../authorization/policy-set-definition/subscription/main.bicep | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/bicep/modules/authorization/policy-assignment/management-group/main.bicep b/bicep/modules/authorization/policy-assignment/management-group/main.bicep index 83c6436..53e1dc9 100644 --- a/bicep/modules/authorization/policy-assignment/management-group/main.bicep +++ b/bicep/modules/authorization/policy-assignment/management-group/main.bicep @@ -32,7 +32,7 @@ var identityVar = policyAssignment.?identity == 'SystemAssigned' } : null -resource assignment 'Microsoft.Authorization/policyAssignments@2026-01-01-preview' = { +resource assignment 'Microsoft.Authorization/policyAssignments@2025-12-01-preview' = { name: policyAssignment.name location: location properties: { diff --git a/bicep/modules/authorization/policy-assignment/resource-group/main.bicep b/bicep/modules/authorization/policy-assignment/resource-group/main.bicep index ecd051b..9598849 100644 --- a/bicep/modules/authorization/policy-assignment/resource-group/main.bicep +++ b/bicep/modules/authorization/policy-assignment/resource-group/main.bicep @@ -35,7 +35,7 @@ var identityVar = policyAssignment.?identity == 'SystemAssigned' } : null -resource assignment 'Microsoft.Authorization/policyAssignments@2026-01-01-preview' = { +resource assignment 'Microsoft.Authorization/policyAssignments@2025-12-01-preview' = { name: policyAssignment.name location: location properties: { diff --git a/bicep/modules/authorization/policy-assignment/subscription/main.bicep b/bicep/modules/authorization/policy-assignment/subscription/main.bicep index 8fd3770..5b315d3 100644 --- a/bicep/modules/authorization/policy-assignment/subscription/main.bicep +++ b/bicep/modules/authorization/policy-assignment/subscription/main.bicep @@ -31,7 +31,7 @@ var identityVar = policyAssignment.?identity == 'SystemAssigned' } : null -resource assignment 'Microsoft.Authorization/policyAssignments@2026-01-01-preview' = { +resource assignment 'Microsoft.Authorization/policyAssignments@2025-12-01-preview' = { name: policyAssignment.name location: location properties: { diff --git a/bicep/modules/authorization/policy-definition/management-group/main.bicep b/bicep/modules/authorization/policy-definition/management-group/main.bicep index 993c538..53291bd 100755 --- a/bicep/modules/authorization/policy-definition/management-group/main.bicep +++ b/bicep/modules/authorization/policy-definition/management-group/main.bicep @@ -16,7 +16,7 @@ var additionalMetadata = { } @batchSize(15) -resource policies 'Microsoft.Authorization/policyDefinitions@2026-01-01-preview' = [ +resource policies 'Microsoft.Authorization/policyDefinitions@2025-12-01-preview' = [ for policyDefinition in policyDefinitions: { name: policyDefinition.name properties: { diff --git a/bicep/modules/authorization/policy-definition/subscription/main.bicep b/bicep/modules/authorization/policy-definition/subscription/main.bicep index d1fcdeb..5f79426 100755 --- a/bicep/modules/authorization/policy-definition/subscription/main.bicep +++ b/bicep/modules/authorization/policy-definition/subscription/main.bicep @@ -17,7 +17,7 @@ var additionalMetadata = { } @batchSize(15) -resource policies 'Microsoft.Authorization/policyDefinitions@2026-01-01-preview' = [ +resource policies 'Microsoft.Authorization/policyDefinitions@2025-12-01-preview' = [ for policyDefinition in policyDefinitions: { name: policyDefinition.name properties: { diff --git a/bicep/modules/authorization/policy-exemption/management-group/main.bicep b/bicep/modules/authorization/policy-exemption/management-group/main.bicep index 614d873..d12b595 100644 --- a/bicep/modules/authorization/policy-exemption/management-group/main.bicep +++ b/bicep/modules/authorization/policy-exemption/management-group/main.bicep @@ -13,7 +13,7 @@ var additionalMetadata = union(policyExemption.?metadata ?? {}, { hidden_vml_version: loadJsonContent('./version.json').version }) -resource exemption 'Microsoft.Authorization/policyExemptions@2026-01-01-preview' = { +resource exemption 'Microsoft.Authorization/policyExemptions@2025-12-01-preview' = { name: policyExemption.name properties: { displayName: policyExemption.?displayName diff --git a/bicep/modules/authorization/policy-exemption/resource-group/main.bicep b/bicep/modules/authorization/policy-exemption/resource-group/main.bicep index ffae6f8..7b9d09b 100644 --- a/bicep/modules/authorization/policy-exemption/resource-group/main.bicep +++ b/bicep/modules/authorization/policy-exemption/resource-group/main.bicep @@ -13,7 +13,7 @@ var additionalMetadata = union(policyExemption.?metadata ?? {}, { hidden_vml_version: loadJsonContent('./version.json').version }) -resource exemption 'Microsoft.Authorization/policyExemptions@2026-01-01-preview' = { +resource exemption 'Microsoft.Authorization/policyExemptions@2025-12-01-preview' = { name: policyExemption.name properties: { displayName: policyExemption.?displayName diff --git a/bicep/modules/authorization/policy-exemption/subscription/main.bicep b/bicep/modules/authorization/policy-exemption/subscription/main.bicep index 7731319..6df61d2 100644 --- a/bicep/modules/authorization/policy-exemption/subscription/main.bicep +++ b/bicep/modules/authorization/policy-exemption/subscription/main.bicep @@ -13,7 +13,7 @@ var additionalMetadata = union(policyExemption.?metadata ?? {}, { hidden_vml_version: loadJsonContent('./version.json').version }) -resource exemption 'Microsoft.Authorization/policyExemptions@2026-01-01-preview' = { +resource exemption 'Microsoft.Authorization/policyExemptions@2025-12-01-preview' = { name: policyExemption.name properties: { displayName: policyExemption.?displayName diff --git a/bicep/modules/authorization/policy-set-definition/management-group/main.bicep b/bicep/modules/authorization/policy-set-definition/management-group/main.bicep index ad7f6cb..1c9afd4 100644 --- a/bicep/modules/authorization/policy-set-definition/management-group/main.bicep +++ b/bicep/modules/authorization/policy-set-definition/management-group/main.bicep @@ -16,7 +16,7 @@ var additionalMetadata = { } @batchSize(15) -resource policySets 'Microsoft.Authorization/policySetDefinitions@2026-01-01-preview' = [ +resource policySets 'Microsoft.Authorization/policySetDefinitions@2025-12-01-preview' = [ for policySetDefinition in policySetDefinitions: { name: policySetDefinition.name properties: { diff --git a/bicep/modules/authorization/policy-set-definition/subscription/main.bicep b/bicep/modules/authorization/policy-set-definition/subscription/main.bicep index d04e42b..0f327db 100644 --- a/bicep/modules/authorization/policy-set-definition/subscription/main.bicep +++ b/bicep/modules/authorization/policy-set-definition/subscription/main.bicep @@ -16,7 +16,7 @@ var additionalMetadata = { } @batchSize(15) -resource policySets 'Microsoft.Authorization/policySetDefinitions@2026-01-01-preview' = [ +resource policySets 'Microsoft.Authorization/policySetDefinitions@2025-12-01-preview' = [ for policySetDefinition in policySetDefinitions: { name: policySetDefinition.name properties: { From 8681af7016f4dac4985eed18140db583ce6069bc Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Fri, 8 May 2026 14:54:15 +1000 Subject: [PATCH 19/46] Update policy definition references for Cosmos DB initiative and remove deprecated source built-in name --- .../cosmos-db/pol-audit-deny-cdb-key-based-metadata-write.json | 3 +-- policyInitiatives/polset-cosmos-db.json | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/policyDefinitions/cosmos-db/pol-audit-deny-cdb-key-based-metadata-write.json b/policyDefinitions/cosmos-db/pol-audit-deny-cdb-key-based-metadata-write.json index 16f6c68..4624dab 100644 --- a/policyDefinitions/cosmos-db/pol-audit-deny-cdb-key-based-metadata-write.json +++ b/policyDefinitions/cosmos-db/pol-audit-deny-cdb-key-based-metadata-write.json @@ -7,8 +7,7 @@ "category": "Cosmos DB", "version": "1.0.0", "preview": false, - "deprecated": false, - "source_builtIn_name": "4750c32b-89c0-46af-bfcb-2e4541a818d5" + "deprecated": false }, "mode": "Indexed", "parameters": { diff --git a/policyInitiatives/polset-cosmos-db.json b/policyInitiatives/polset-cosmos-db.json index c886c9a..7cfc5cb 100644 --- a/policyInitiatives/polset-cosmos-db.json +++ b/policyInitiatives/polset-cosmos-db.json @@ -230,8 +230,7 @@ }, { "policyDefinitionReferenceId": "COSMOS-005", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5", - "definitionVersion": "1.0.*", + "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-audit-deny-cdb-key-based-metadata-write", "parameters": { "effect": { "value": "[parameters('COSMOS-005_Effect')]" From 7618ce54c691ddc1e97d4bcc06caba94348c346d Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Fri, 8 May 2026 15:05:27 +1000 Subject: [PATCH 20/46] Update policy definition reference for COSMOS-007 to use new policy ID --- policyInitiatives/polset-cosmos-db.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/policyInitiatives/polset-cosmos-db.json b/policyInitiatives/polset-cosmos-db.json index 7cfc5cb..65cc915 100644 --- a/policyInitiatives/polset-cosmos-db.json +++ b/policyInitiatives/polset-cosmos-db.json @@ -261,8 +261,7 @@ }, { "policyDefinitionReferenceId": "COSMOS-007", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0473574d-2d43-4217-aefe-941fcdf7e684", - "definitionVersion": "1.1.*", + "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-audit-deny-cdb-allowed-locations", "parameters": { "effect": { "value": "[parameters('COSMOS-007_Effect')]" From f6c53169e325dcc6c5fe9fa8891b1193d53a5b94 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 11 May 2026 13:21:34 +1000 Subject: [PATCH 21/46] Add allowed locations for COSMOS-007 and update integration test templates for Cosmos DB policies --- policyAssignments/dev/pa-d-cosmos.json | 6 ++ policyAssignments/prod/pa-p-cosmos.json | 6 ++ policyInitiatives/polset-cosmos-db.json | 2 +- .../.test-template/config.json | 5 -- .../.test-template/main.good.bicep | 2 +- .../cosmos-db/README.md | 18 ++++ .../cosmos-db/config.json | 15 ++++ .../cosmos-db/main.bad.bicep | 43 ++++++++++ .../cosmos-db/main.good.bicep | 43 ++++++++++ .../cosmos-db/main.test.bicep | 86 +++++++++++++++++++ .../cosmos-db/tests.ps1 | 44 ++++++++++ 11 files changed, 263 insertions(+), 7 deletions(-) create mode 100644 tests/policy-integration-tests/cosmos-db/README.md create mode 100644 tests/policy-integration-tests/cosmos-db/config.json create mode 100644 tests/policy-integration-tests/cosmos-db/main.bad.bicep create mode 100644 tests/policy-integration-tests/cosmos-db/main.good.bicep create mode 100644 tests/policy-integration-tests/cosmos-db/main.test.bicep create mode 100644 tests/policy-integration-tests/cosmos-db/tests.ps1 diff --git a/policyAssignments/dev/pa-d-cosmos.json b/policyAssignments/dev/pa-d-cosmos.json index daf4e98..bd13fcb 100644 --- a/policyAssignments/dev/pa-d-cosmos.json +++ b/policyAssignments/dev/pa-d-cosmos.json @@ -33,6 +33,12 @@ }, "COSMOS-007_Effect": { "value": "Deny" + }, + "COSMOS-007_listOfAllowedLocations": { + "value": [ + "australiaeast", + "australiasoutheast" + ] } }, "nonComplianceMessages": [], diff --git a/policyAssignments/prod/pa-p-cosmos.json b/policyAssignments/prod/pa-p-cosmos.json index 6410c0f..9b4dccb 100644 --- a/policyAssignments/prod/pa-p-cosmos.json +++ b/policyAssignments/prod/pa-p-cosmos.json @@ -33,6 +33,12 @@ }, "COSMOS-007_Effect": { "value": "Deny" + }, + "COSMOS-007_listOfAllowedLocations": { + "value": [ + "australiaeast", + "australiasoutheast" + ] } }, "nonComplianceMessages": [], diff --git a/policyInitiatives/polset-cosmos-db.json b/policyInitiatives/polset-cosmos-db.json index 65cc915..03fafcc 100644 --- a/policyInitiatives/polset-cosmos-db.json +++ b/policyInitiatives/polset-cosmos-db.json @@ -259,7 +259,7 @@ "ISO27001-2013_A.14.1.2" ] }, - { + { "policyDefinitionReferenceId": "COSMOS-007", "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-audit-deny-cdb-allowed-locations", "parameters": { diff --git a/tests/policy-integration-tests/.test-template/config.json b/tests/policy-integration-tests/.test-template/config.json index 8f4888b..6ac3b5d 100644 --- a/tests/policy-integration-tests/.test-template/config.json +++ b/tests/policy-integration-tests/.test-template/config.json @@ -5,12 +5,7 @@ "assignmentName": "", "testSubscription": "", "testResourceGroup": "", - "testManagementGroup": "", "location": "", "tagsForResourceGroup": false, - "testAuditPoliciesFromDeployedResources": false, - "testAppendModifyPolicies": false, - "testDeployIfNotExistsPolicies": false, - "testDenyPolicies": true, "removeTestResourceGroup": true } diff --git a/tests/policy-integration-tests/.test-template/main.good.bicep b/tests/policy-integration-tests/.test-template/main.good.bicep index 4975278..84e6185 100644 --- a/tests/policy-integration-tests/.test-template/main.good.bicep +++ b/tests/policy-integration-tests/.test-template/main.good.bicep @@ -13,4 +13,4 @@ var location = localConfig.location var namePrefix = globalConfig.namePrefix // define template specific variables -var serviceShort = 'xxx3' +var serviceShort = 'xxx2' diff --git a/tests/policy-integration-tests/cosmos-db/README.md b/tests/policy-integration-tests/cosmos-db/README.md new file mode 100644 index 0000000..6df173f --- /dev/null +++ b/tests/policy-integration-tests/cosmos-db/README.md @@ -0,0 +1,18 @@ +# Policy Integration Test - Policy Integration Test Cases for xxx + +## Introduction + +This folder contains a sample test case for xxx related policies. + +The test case is designed to test the following policy assignments: + +| Policy Assignment Name | Policy Assignment Scope | Description | +| :--------------------- | :--------------------- | :---------- | + + + +The following policies are in scope for testing: + +| Policy Assignment | Policy Reference ID | Policy Name | Policy Effect | +| :---------------- | :---------------- | :------------ | :------------ | + diff --git a/tests/policy-integration-tests/cosmos-db/config.json b/tests/policy-integration-tests/cosmos-db/config.json new file mode 100644 index 0000000..2b05638 --- /dev/null +++ b/tests/policy-integration-tests/cosmos-db/config.json @@ -0,0 +1,15 @@ +{ + "policyAssignmentIds": [ + "/providers/Microsoft.Management/managementGroups/CONTOSO-DEV/providers/Microsoft.Authorization/policyAssignments/pa-d-pedns", + "/providers/Microsoft.Management/managementGroups/CONTOSO-DEV/providers/Microsoft.Authorization/policyAssignments/pa-d-cosmos", + "/providers/Microsoft.Management/managementGroups/CONTOSO-DEV/providers/Microsoft.Authorization/policyAssignments/pa-d-diag-settings" + ], + "testName": "CosmosDB", + "assignmentName": "pa-d-cosmos", + "testSubscription": "sub-d-lz-corp-01", + "testResourceGroup": "rg-ae-d-policy-test-cosmos-001", + "location": "australiaeast", + "disallowedLocation": "eastus", + "tagsForResourceGroup": false, + "removeTestResourceGroup": true +} diff --git a/tests/policy-integration-tests/cosmos-db/main.bad.bicep b/tests/policy-integration-tests/cosmos-db/main.bad.bicep new file mode 100644 index 0000000..48045e4 --- /dev/null +++ b/tests/policy-integration-tests/cosmos-db/main.bad.bicep @@ -0,0 +1,43 @@ +metadata itemDisplayName = 'Test Template for xxx' +metadata description = 'This template deploys the testing resource for xxx.' +metadata summary = 'Deploys test xxx resources that should violate some policy assignments.' + +// ============ // +// variables // +// ============ // +// Load the configuration file +var globalConfig = loadJsonContent('../.shared/policy_integration_test_config.jsonc') +var localConfig = loadJsonContent('config.json') + +var location = localConfig.disallowedLocation +var namePrefix = globalConfig.namePrefix + +// define template specific variables +var serviceShort = 'cos3' +resource cosmosDb 'Microsoft.DocumentDB/databaseAccounts@2025-11-01-preview' = { + kind: 'GlobalDocumentDB' + name: '${namePrefix}${serviceShort}01' + location: location + properties: { + consistencyPolicy: { + defaultConsistencyLevel: 'Session' + maxIntervalInSeconds: 300 + maxStalenessPrefix: 100001 + } + locations: [ + { + locationName: location // this should violate the policy COSMOS-007 + failoverPriority: 0 + isZoneRedundant: false + } + ] + databaseAccountOfferType: 'Standard' + disableLocalAuth: false // this should violate the policy COSMOS-001 + enableMultipleWriteLocations: false + networkAclBypass: 'AzureServices' + enablePartitionMerge: false + publicNetworkAccess: 'Enabled' // this should violate the policy COSMOS-002, COSMOS-003 + minimalTlsVersion: 'TLS1_1' // this should violate the policy COSMOS-006 + disableKeyBasedMetadataWriteAccess: false // this should violate the policy COSMOS-005 + } +} diff --git a/tests/policy-integration-tests/cosmos-db/main.good.bicep b/tests/policy-integration-tests/cosmos-db/main.good.bicep new file mode 100644 index 0000000..5e97c44 --- /dev/null +++ b/tests/policy-integration-tests/cosmos-db/main.good.bicep @@ -0,0 +1,43 @@ +metadata itemDisplayName = 'Test Template for xxxx' +metadata description = 'This template deploys the testing resource for xxxx.' +metadata summary = 'Deploys test xxxx resources that should comply with all policy assignments.' + +// ============ // +// variables // +// ============ // +// Load the configuration file +var globalConfig = loadJsonContent('../.shared/policy_integration_test_config.jsonc') +var localConfig = loadJsonContent('config.json') + +var location = localConfig.location +var namePrefix = globalConfig.namePrefix + +// define template specific variables +var serviceShort = 'cos2' +resource cosmosDb 'Microsoft.DocumentDB/databaseAccounts@2025-11-01-preview' = { + kind: 'GlobalDocumentDB' + name: '${namePrefix}${serviceShort}01' + location: location + properties: { + consistencyPolicy: { + defaultConsistencyLevel: 'Session' + maxIntervalInSeconds: 300 + maxStalenessPrefix: 100001 + } + locations: [ + { + locationName: location // this should comply with the policy COSMOS-007 + failoverPriority: 0 + isZoneRedundant: false + } + ] + databaseAccountOfferType: 'Standard' + disableLocalAuth: true // this should comply with the policy COSMOS-001 + enableMultipleWriteLocations: false + networkAclBypass: 'AzureServices' + enablePartitionMerge: false + publicNetworkAccess: 'Disabled' // this should comply with the policy COSMOS-002, COSMOS-003 + minimalTlsVersion: 'TLS1_2' // this should comply with the policy COSMOS-006 + disableKeyBasedMetadataWriteAccess: true // this should comply with the policy COSMOS-005 + } +} diff --git a/tests/policy-integration-tests/cosmos-db/main.test.bicep b/tests/policy-integration-tests/cosmos-db/main.test.bicep new file mode 100644 index 0000000..7117651 --- /dev/null +++ b/tests/policy-integration-tests/cosmos-db/main.test.bicep @@ -0,0 +1,86 @@ +metadata itemDisplayName = 'Test Template for Cosmos DB' +metadata description = 'This template deploys the testing resource for Cosmos DB.' +metadata summary = 'Deploys test Cosmos DB resources.' + +// ============ // +// variables // +// ============ // +// Load the configuration file +var globalConfig = loadJsonContent('../.shared/policy_integration_test_config.jsonc') +var localConfig = loadJsonContent('config.json') +//Define required variables from the configuration files - change these based on your requirements +var tags = globalConfig.tags +var location = localConfig.location +var namePrefix = globalConfig.namePrefix +var subName = localConfig.testSubscription +var vnetResourceGroup = globalConfig.subscriptions[subName].networkResourceGroup +var vnetName = globalConfig.subscriptions[subName].vNet +var peSubnetName = globalConfig.subscriptions[subName].peSubnet + +var serviceShort = 'cos1' //use this to form the name of the resources deployed by this template. This is helpful to identify the resource in the portal and also useful if you want to have a policy that targets specific resources by name. For example, if you have a policy that audits whether storage accounts have secure transfer enabled, you can set serviceShort to 'st' and then in the policy definition, you can target resources with name starting with 'st' to only audit the storage accounts deployed by this test template. + +// ============ // +// resources // +// ============ // +resource vnet 'Microsoft.Network/virtualNetworks@2025-05-01' existing = { + name: vnetName + scope: az.resourceGroup(vnetResourceGroup) + + resource peSubnet 'subnets' existing = { name: peSubnetName } +} + +resource cosmosDb 'Microsoft.DocumentDB/databaseAccounts@2025-11-01-preview' = { + kind: 'GlobalDocumentDB' + name: '${namePrefix}${serviceShort}01' + location: location + tags: tags + properties: { + consistencyPolicy: { + defaultConsistencyLevel: 'Session' + maxIntervalInSeconds: 300 + maxStalenessPrefix: 100001 + } + locations: [ + { + locationName: location + failoverPriority: 0 + isZoneRedundant: false + } + ] + databaseAccountOfferType: 'Standard' + disableLocalAuth: true + enableMultipleWriteLocations: false + networkAclBypass: 'AzureServices' + enablePartitionMerge: false + publicNetworkAccess: 'Disabled' + minimalTlsVersion: 'TLS1_2' + disableKeyBasedMetadataWriteAccess: true + //keyVaultKeyUri: '' // this should violate the policy COSMOS-004 + } +} + +resource pe 'Microsoft.Network/privateEndpoints@2025-05-01' = { + name: 'pe-${namePrefix}${serviceShort}-cosmosdb' + location: location + tags: tags + properties: { + subnet: { + id: vnet::peSubnet.id + } + privateLinkServiceConnections: [ + { + name: 'pe-${namePrefix}${serviceShort}-cosmosdb' + properties: { + privateLinkServiceId: cosmosDb.id + groupIds: [ + 'Sql' + ] + } + } + ] + } +} +// ============ // +// outputs // +// ============ // +//Specify the outputs that are required for the test diff --git a/tests/policy-integration-tests/cosmos-db/tests.ps1 b/tests/policy-integration-tests/cosmos-db/tests.ps1 new file mode 100644 index 0000000..7a5ca12 --- /dev/null +++ b/tests/policy-integration-tests/cosmos-db/tests.ps1 @@ -0,0 +1,44 @@ +#region generic sections for all tests +#Requires -Modules Az.Accounts, Az.PolicyInsights, Az.Resources +#Requires -Version 7.0 + +using module AzResourceTest + +$helperFunctionScriptPath = (resolve-path -relativeBasePath $PSScriptRoot -path '../../../scripts/pipelines/helper/helper-functions.ps1').Path + +#load helper +. $helperFunctionScriptPath + +#Run initiate-test script to set environment variables for test configuration and deployment +$globalConfigFilePath = (resolve-path -RelativeBasePath $PSScriptRoot -path '../.shared/policy_integration_test_config.jsonc').Path +$TestDirectory = $PSScriptRoot +Write-Output "Initiating test with global config file: $globalConfigFilePath and test directory: $TestDirectory" +$initiateTestScriptPath = (resolve-path -RelativeBasePath $PSScriptRoot -path '../.shared/initiate-test.ps1').Path +. $initiateTestScriptPath -globalConfigFilePath $globalConfigFilePath -TestDirectory $TestDirectory + +# Refer to the ../../docs/policy-integration-test-get-started.md for details on the expected variables to be set by the initiate-test script and the structure of those variables. +#endregion + +#region defining tests +<# +The following policy definitions are tested:. + - List the policy definitions being tested here. +#> + +#define tests +$tests = @() + +#endregion + +#region Invoke tests - do not modify +$params = @{ + tests = $tests + testTitle = $script:testTitle + contextTitle = $script:contextTitle + testSuiteName = $script:testSuiteName + OutputFile = $script:outputFilePath + OutputFormat = $script:GlobalConfig_testOutputFormat +} +Test-ARTResourceConfiguration @params + +#endregion From 054fccfab63af0b110d2135927c0bc3f6bc42bb6 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 11 May 2026 15:10:58 +1000 Subject: [PATCH 22/46] Add PEDNS-017 effect and update integration tests for Azure Cosmos DB policies --- policyAssignments/dev/pa-d-pedns.json | 3 + policyAssignments/prod/pa-p-pedns.json | 3 + policyInitiatives/polset-pedns.json | 39 +++++++++++++ .../cosmos-db/README.md | 16 +++++- .../cosmos-db/main.test.bicep | 4 ++ .../cosmos-db/tests.ps1 | 57 ++++++++++++++++++- .../event-hub/tests.ps1 | 4 +- 7 files changed, 120 insertions(+), 6 deletions(-) diff --git a/policyAssignments/dev/pa-d-pedns.json b/policyAssignments/dev/pa-d-pedns.json index e5bc3a3..bf5cc93 100644 --- a/policyAssignments/dev/pa-d-pedns.json +++ b/policyAssignments/dev/pa-d-pedns.json @@ -58,6 +58,9 @@ "PEDNS-016_Effect": { "value": "DeployIfNotExists" }, + "PEDNS-017_Effect": { + "value": "DeployIfNotExists" + }, "evaluationDelay": { "value": "AfterProvisioning" }, diff --git a/policyAssignments/prod/pa-p-pedns.json b/policyAssignments/prod/pa-p-pedns.json index 50eaa13..728870a 100644 --- a/policyAssignments/prod/pa-p-pedns.json +++ b/policyAssignments/prod/pa-p-pedns.json @@ -58,6 +58,9 @@ "PEDNS-016_Effect": { "value": "DeployIfNotExists" }, + "PEDNS-017_Effect": { + "value": "DeployIfNotExists" + }, "evaluationDelay": { "value": "AfterProvisioning" }, diff --git a/policyInitiatives/polset-pedns.json b/policyInitiatives/polset-pedns.json index 62adee0..bd8dd1b 100755 --- a/policyInitiatives/polset-pedns.json +++ b/policyInitiatives/polset-pedns.json @@ -202,6 +202,18 @@ ], "defaultValue": "DeployIfNotExists" }, + "PEDNS-017_Effect": { + "type": "string", + "metadata": { + "displayName": "PEDNS-017 Effect: Cosmos DB SQL", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, "evaluationDelay": { "type": "string", "metadata": { @@ -620,6 +632,33 @@ "groupNames": [ "ISO27001-2013_A.13.1.3" ] + }, + { + "policyDefinitionReferenceId": "PEDNS-017", + "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-deploy-pe-dns-records-single-dns-zone-single-location", + "parameters": { + "effect": { + "value": "[parameters('PEDNS-017_Effect')]" + }, + "evaluationDelay": { + "value": "[parameters('evaluationDelay')]" + }, + "groupId": { + "value": "Sql" + }, + "resourceLocation": { + "value": "australiaeast" + }, + "privateDnsZoneId": { + "value": "[concat(parameters('privateDnsZoneResourceGroup'), '/providers/Microsoft.Network/privateDnsZones/', 'privatelink.documents.azure.com')]" + }, + "privateLinkServiceResourceType": { + "value": "Microsoft.DocumentDB/databaseAccounts" + } + }, + "groupNames": [ + "ISO27001-2013_A.13.1.3" + ] } ] } diff --git a/tests/policy-integration-tests/cosmos-db/README.md b/tests/policy-integration-tests/cosmos-db/README.md index 6df173f..48ab0f9 100644 --- a/tests/policy-integration-tests/cosmos-db/README.md +++ b/tests/policy-integration-tests/cosmos-db/README.md @@ -2,17 +2,27 @@ ## Introduction -This folder contains a sample test case for xxx related policies. +This folder contains a sample test case for Azure Cosmos DB related policies. The test case is designed to test the following policy assignments: | Policy Assignment Name | Policy Assignment Scope | Description | | :--------------------- | :--------------------- | :---------- | - +| `pa-d-cosmos` | `/providers/Microsoft.Management/managementGroups/CONTOSO-DEV` | Policy Assignment for the Azure Cosmos DB initiative | +| `pa-d-pedns` | `/providers/Microsoft.Management/managementGroups/CONTOSO-DEV` | Policy Assignment for Azure Private Endpoint DNS Records Policy Initiative (deploy DNS records for Private Endpoints) | +| `pa-d-diag-settings` | `/providers/Microsoft.Management/managementGroups/CONTOSO-DEV` | Policy Assignment for Azure Diagnostic Settings Policy Initiative (deploy diagnostic settings for all applicable Azure resources) | The following policies are in scope for testing: | Policy Assignment | Policy Reference ID | Policy Name | Policy Effect | | :---------------- | :---------------- | :------------ | :------------ | - +| `pa-d-cosmos` | `COSMOS-001` | Azure Cosmos DB accounts should have local authentication disabled | Deny | +| `pa-d-cosmos` | `COSMOS-002` | Azure Cosmos DB accounts should have firewall rules | Deny | +| `pa-d-cosmos` | `COSMOS-003` | Azure Cosmos DB should disable public network access | Deny | +| `pa-d-cosmos` | `COSMOS-004` | Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest | Audit | +| `pa-d-cosmos` | `COSMOS-005` | Azure Cosmos DB key based metadata write access should be disabled | Deny | +| `pa-d-cosmos` | `COSMOS-006` | Azure Cosmos DB accounts should have a minimum TLS version | Deny | +| `pa-d-cosmos` | `COSMOS-007` | Azure Cosmos DB allowed locations | Deny | +| `pa-d-diag-settings` | `DS-014` | Configure Diagnostic Setting for Azure Cosmos DB | DeployIfNotExists | +| `pa-d-pedns` | `PEDNS-017` | Private DNS Record for Azure Cosmos DB SQL PE must exist | DeployIfNotExists | diff --git a/tests/policy-integration-tests/cosmos-db/main.test.bicep b/tests/policy-integration-tests/cosmos-db/main.test.bicep index 7117651..ddf4237 100644 --- a/tests/policy-integration-tests/cosmos-db/main.test.bicep +++ b/tests/policy-integration-tests/cosmos-db/main.test.bicep @@ -84,3 +84,7 @@ resource pe 'Microsoft.Network/privateEndpoints@2025-05-01' = { // outputs // // ============ // //Specify the outputs that are required for the test +output name string = cosmosDb.name +output resourceId string = cosmosDb.id +output privateEndpointResourceId string = pe.id +output location string = cosmosDb.location diff --git a/tests/policy-integration-tests/cosmos-db/tests.ps1 b/tests/policy-integration-tests/cosmos-db/tests.ps1 index 7a5ca12..be27ace 100644 --- a/tests/policy-integration-tests/cosmos-db/tests.ps1 +++ b/tests/policy-integration-tests/cosmos-db/tests.ps1 @@ -22,12 +22,67 @@ $initiateTestScriptPath = (resolve-path -RelativeBasePath $PSScriptRoot -path '. #region defining tests <# The following policy definitions are tested:. - - List the policy definitions being tested here. + - COSMOS-001: Azure Cosmos DB accounts should have local authentication disabled (Deny) + - COSMOS-002: Azure Cosmos DB accounts should have firewall rules (Deny) + - COSMOS-003: Azure Cosmos DB should disable public network access (Deny) + - COSMOS-004: Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest (Audit) + - COSMOS-005: Azure Cosmos DB key based metadata write access should be disabled (Deny) + - COSMOS-006: Azure Cosmos DB accounts should have a minimum TLS version (Deny) + - COSMOS-007: Azure Cosmos DB allowed locations (Deny) + - DS-014: Configure Diagnostic Setting for Azure Cosmos DB (DeployIfNotExists) + - PEDNS-017: Private DNS Record for Azure Cosmos DB SQL PE must exist (DeployIfNotExists) #> +#Parse deployment outputs +$resourceId = $script:bicepDeploymentOutputs.resourceId.value +$diagSettingsPolicyAssignmentId = $script:LocalConfig_policyAssignmentIds | Where-Object { $_ -imatch "$script:LocalConfig_diagSettingsAssignmentName`$" } +$peDNSPolicyAssignmentId = $script:LocalConfig_policyAssignmentIds | Where-Object { $_ -imatch "$script:LocalConfig_peDNSAssignmentName`$" } +$diagnosticSettingsId = "{0}{1}" -f $resourceId, $script:GlobalConfig_diagnosticSettingsIdSuffix +$cosmosPolicyAssignmentId = $script:LocalConfig_policyAssignmentIds | Where-Object { $_ -imatch "$script:LocalConfig_assignmentName`$" } +$privateEndpointResourceId = $script:bicepDeploymentOutputs.privateEndpointResourceId.value +$privateEndpointPrivateDNSZoneGroupId = '{0}{1}' -f $privateEndpointResourceId, $script:GlobalConfig_privateEndpointPrivateDNSZoneGroupIdSuffix +$violatingPolicies = @( + @{ + policyAssignmentId = $cosmosPolicyAssignmentId + policyDefinitionReferenceId = 'COSMOS-001' + } + @{ + policyAssignmentId = $cosmosPolicyAssignmentId + policyDefinitionReferenceId = 'COSMOS-002' + } + @{ + policyAssignmentId = $cosmosPolicyAssignmentId + policyDefinitionReferenceId = 'COSMOS-003' + } + @{ + policyAssignmentId = $cosmosPolicyAssignmentId + policyDefinitionReferenceId = 'COSMOS-005' + } + @{ + policyAssignmentId = $cosmosPolicyAssignmentId + policyDefinitionReferenceId = 'COSMOS-006' + } + @{ + policyAssignmentId = $cosmosPolicyAssignmentId + policyDefinitionReferenceId = 'COSMOS-007' + } +) #define tests $tests = @() +#region Audit Policies +$tests += New-ARTPolicyStateTestConfig 'COSMOS-004: Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest' $script:token $resourceId $cosmosPolicyAssignmentId 'NonCompliant' 'COSMOS-004' + +#DeployIfNotExists Policies +$tests += New-ARTResourceExistenceTestConfig 'DS-014: Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace.' $script:token $diagnosticSettingsId 'exists' $script:GlobalConfig_diagnosticSettingsAPIVersion +$tests += New-ARTPolicyStateTestConfig 'DS-014: Diagnostic Settings Policy Must Be Compliant' $script:token $resourceId $diagSettingsPolicyAssignmentId 'Compliant' 'DS-014' +$tests += New-ARTResourceExistenceTestConfig 'PEDNS-017: Private DNS Record for Azure Cosmos DB SQL PE must exist' $script:token $privateEndpointPrivateDNSZoneGroupId 'exists' $script:GlobalConfig_privateDNSZoneGroupAPIVersion +$tests += New-ARTPolicyStateTestConfig 'PEDNS-017: Private DNS Record Policy Must Be Compliant' $script:token $privateEndpointResourceId $peDNSPolicyAssignmentId 'Compliant' 'PEDNS-017' + +#Deny policies (testing both positive and negative scenarios) +$tests += New-ARTWhatIfDeploymentTestConfig 'Policy abiding deployment should succeed' $script:token $script:whatIfComplyBicepTemplatePath $script:bicepDeploymentResult.bicepDeploymentTarget 'Succeeded' -maxRetry $script:GlobalConfig_whatIfMaxRetry +$tests += New-ARTWhatIfDeploymentTestConfig 'Policy violating deployment should fail' $script:token $script:whatIfViolateBicepTemplatePath $script:bicepDeploymentResult.bicepDeploymentTarget 'Failed' $violatingPolicies -maxRetry $script:GlobalConfig_whatIfMaxRetry +# #endregion #region Invoke tests - do not modify diff --git a/tests/policy-integration-tests/event-hub/tests.ps1 b/tests/policy-integration-tests/event-hub/tests.ps1 index 4d4b035..e8ceddf 100755 --- a/tests/policy-integration-tests/event-hub/tests.ps1 +++ b/tests/policy-integration-tests/event-hub/tests.ps1 @@ -53,9 +53,9 @@ $tests += New-ARTPolicyStateTestConfig 'EH-004: Event Hub Namespace use CMK encr $tests += New-ARTPolicyStateTestConfig 'EH-005: Event Hub Namespace should use Private Endpoint' $script:token $eventHubNoPeResourceId $ehPolicyAssignmentId 'NonCompliant' 'EH-005' #DeployIfNotExists Policies -$tests += New-ARTResourceExistenceTestConfig 'DS-022: Deploy Diagnostic Settings for Container Registry to Log Analytics workspace.' $script:token $diagnosticSettingsId 'exists' $script:GlobalConfig_diagnosticSettingsAPIVersion +$tests += New-ARTResourceExistenceTestConfig 'DS-022: Deploy Diagnostic Settings for Event Hub to Log Analytics workspace.' $script:token $diagnosticSettingsId 'exists' $script:GlobalConfig_diagnosticSettingsAPIVersion $tests += New-ARTPolicyStateTestConfig 'DS-022: Diagnostic Settings Policy Must Be Compliant' $script:token $resourceId $diagSettingsPolicyAssignmentId 'Compliant' 'DS-022' -$tests += New-ARTResourceExistenceTestConfig 'PEDNS-007: Private DNS Record for Azure Container Registry PE must exist' $script:token $privateEndpointPrivateDNSZoneGroupId 'exists' $script:GlobalConfig_privateDNSZoneGroupAPIVersion +$tests += New-ARTResourceExistenceTestConfig 'PEDNS-007: Private DNS Record for Azure Event Hub PE must exist' $script:token $privateEndpointPrivateDNSZoneGroupId 'exists' $script:GlobalConfig_privateDNSZoneGroupAPIVersion $tests += New-ARTPolicyStateTestConfig 'PEDNS-007: Private DNS Record Policy Must Be Compliant' $script:token $privateEndpointResourceId $peDNSPolicyAssignmentId 'Compliant' 'PEDNS-007' #Deny policies (testing both positive and negative scenarios) From a8f39d468fa22289a21d1f3851192b02f1d72120 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 11 May 2026 15:27:19 +1000 Subject: [PATCH 23/46] Update minimalTlsVersion formatting in Cosmos DB policy templates for consistency --- tests/policy-integration-tests/cosmos-db/main.bad.bicep | 2 +- tests/policy-integration-tests/cosmos-db/main.good.bicep | 2 +- tests/policy-integration-tests/cosmos-db/main.test.bicep | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/policy-integration-tests/cosmos-db/main.bad.bicep b/tests/policy-integration-tests/cosmos-db/main.bad.bicep index 48045e4..a501b41 100644 --- a/tests/policy-integration-tests/cosmos-db/main.bad.bicep +++ b/tests/policy-integration-tests/cosmos-db/main.bad.bicep @@ -37,7 +37,7 @@ resource cosmosDb 'Microsoft.DocumentDB/databaseAccounts@2025-11-01-preview' = { networkAclBypass: 'AzureServices' enablePartitionMerge: false publicNetworkAccess: 'Enabled' // this should violate the policy COSMOS-002, COSMOS-003 - minimalTlsVersion: 'TLS1_1' // this should violate the policy COSMOS-006 + minimalTlsVersion: 'Tls11' // this should violate the policy COSMOS-006 disableKeyBasedMetadataWriteAccess: false // this should violate the policy COSMOS-005 } } diff --git a/tests/policy-integration-tests/cosmos-db/main.good.bicep b/tests/policy-integration-tests/cosmos-db/main.good.bicep index 5e97c44..abf7825 100644 --- a/tests/policy-integration-tests/cosmos-db/main.good.bicep +++ b/tests/policy-integration-tests/cosmos-db/main.good.bicep @@ -37,7 +37,7 @@ resource cosmosDb 'Microsoft.DocumentDB/databaseAccounts@2025-11-01-preview' = { networkAclBypass: 'AzureServices' enablePartitionMerge: false publicNetworkAccess: 'Disabled' // this should comply with the policy COSMOS-002, COSMOS-003 - minimalTlsVersion: 'TLS1_2' // this should comply with the policy COSMOS-006 + minimalTlsVersion: 'Tls12' // this should comply with the policy COSMOS-006 disableKeyBasedMetadataWriteAccess: true // this should comply with the policy COSMOS-005 } } diff --git a/tests/policy-integration-tests/cosmos-db/main.test.bicep b/tests/policy-integration-tests/cosmos-db/main.test.bicep index ddf4237..8b6e87a 100644 --- a/tests/policy-integration-tests/cosmos-db/main.test.bicep +++ b/tests/policy-integration-tests/cosmos-db/main.test.bicep @@ -53,7 +53,7 @@ resource cosmosDb 'Microsoft.DocumentDB/databaseAccounts@2025-11-01-preview' = { networkAclBypass: 'AzureServices' enablePartitionMerge: false publicNetworkAccess: 'Disabled' - minimalTlsVersion: 'TLS1_2' + minimalTlsVersion: 'Tls12' disableKeyBasedMetadataWriteAccess: true //keyVaultKeyUri: '' // this should violate the policy COSMOS-004 } From 63a027aea39da06b130a263b4fb6c95bf25b04db Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 11 May 2026 15:42:01 +1000 Subject: [PATCH 24/46] Update policy definition groups and clean up deprecated entries in Cosmos DB policy initiative --- policyInitiatives/polset-cosmos-db.json | 41 +++++-------------------- 1 file changed, 7 insertions(+), 34 deletions(-) diff --git a/policyInitiatives/polset-cosmos-db.json b/policyInitiatives/polset-cosmos-db.json index 03fafcc..ee382a7 100644 --- a/policyInitiatives/polset-cosmos-db.json +++ b/policyInitiatives/polset-cosmos-db.json @@ -132,44 +132,24 @@ }, "policyDefinitionGroups": [ { - "name": "ISO27001-2013_A.8.2.3", - "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.8.2.3" + "name": "ISO27001-2013_A.9.2.3", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.9.2.3" }, { "name": "ISO27001-2013_A.10.1.1", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.10.1.1" }, - - { - "name": "ISO27001-2013_A.12.3.1", - "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.12.3.1" - }, { "name": "ISO27001-2013_A.13.1.3", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.13.1.3" }, - { - "name": "ISO27001-2013_A.14.1.2", - "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.14.1.2" - }, { "name": "ISO27001-2013_A.15.1.2", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.15.1.2" }, { - "name": "ISO27001-2013_A.17.1.1", - "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.17.1.1" - }, - { - "name": "ISO27001-2013_A.17.1.2", - "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.17.1.2" - }, - { "name": "ISO27001-2013_A.18.1.1", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.18.1.1" - }, - { - "name": "CB-AZ-011" } ], "policyDefinitions": [ @@ -183,9 +163,7 @@ } }, "groupNames": [ - "ISO27001-2013_A.12.3.1", - "ISO27001-2013_A.17.1.1", - "ISO27001-2013_A.17.1.2" + "ISO27001-2013_A.9.2.3" ] }, { @@ -211,8 +189,7 @@ } }, "groupNames": [ - "ISO27001-2013_A.13.1.3", - "CB-AZ-011" + "ISO27001-2013_A.13.1.3" ] }, { @@ -225,7 +202,7 @@ } }, "groupNames": [ - "ISO27001-2013_A.12.3.1" + "ISO27001-2013_A.10.1.1" ] }, { @@ -237,9 +214,7 @@ } }, "groupNames": [ - "ISO27001-2013_A.12.3.1", - "ISO27001-2013_A.17.1.1", - "ISO27001-2013_A.17.1.2" + "ISO27001-2013_A.9.2.3" ] }, { @@ -254,9 +229,7 @@ } }, "groupNames": [ - "ISO27001-2013_A.8.2.3", - "ISO27001-2013_A.10.1.1", - "ISO27001-2013_A.14.1.2" + "ISO27001-2013_A.10.1.1" ] }, { From a403bc3c5d829dbd066f95ae01af6bb75c08ad36 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 11 May 2026 15:59:03 +1000 Subject: [PATCH 25/46] Refactor policy definitions for Cognitive Services: update field references and add new policy initiative --- ...ol-restrict-cog-public-network-access.json | 2 +- .../polset-cognitive-service.json | 128 ++++++++++++++++++ .../cosmos-db/config.json | 4 +- .../cosmos-db/tests.ps1 | 2 +- 4 files changed, 133 insertions(+), 3 deletions(-) create mode 100644 policyInitiatives/polset-cognitive-service.json diff --git a/policyDefinitions/cognitive-service/pol-restrict-cog-public-network-access.json b/policyDefinitions/cognitive-service/pol-restrict-cog-public-network-access.json index 11f6721..76c20ef 100644 --- a/policyDefinitions/cognitive-service/pol-restrict-cog-public-network-access.json +++ b/policyDefinitions/cognitive-service/pol-restrict-cog-public-network-access.json @@ -39,7 +39,7 @@ "notEquals": "Disabled" }, { - "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction", + "field": "Microsoft.CognitiveServices/accounts/networkAcls.defaultAction", "notEquals": "Deny" } ] diff --git a/policyInitiatives/polset-cognitive-service.json b/policyInitiatives/polset-cognitive-service.json new file mode 100644 index 0000000..d0a751d --- /dev/null +++ b/policyInitiatives/polset-cognitive-service.json @@ -0,0 +1,128 @@ +{ + "name": "polset-cognitive-service", + "properties": { + "displayName": "Azure Cognitive Service Policy Initiative", + "description": "This policy initiative defines the foundation security requirements for Azure Cognitive Service", + "metadata": { + "category": "Cognitive Service", + "version": "1.0.0", + "preview": false, + "deprecated": false + }, + "parameters": { + "COG-001_Effect": { + "type": "String", + "metadata": { + "displayName": "COG-001 Effect: Restrict Cognitive Service Local Authentication", + "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "COG-002_Effect": { + "type": "String", + "metadata": { + "displayName": "COG-002 Effect: Restrict Cognitive Service Public Network Access", + "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "COG-003_Effect": { + "type": "String", + "metadata": { + "displayName": "COG-003 Effect: Cognitive Services accounts should use a managed identity", + "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyDefinitionGroups": [ + { + "name": "ISO27001-2013_A.9.2.3", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.9.2.3" + }, + { + "name": "ISO27001-2013_A.10.1.1", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.10.1.1" + }, + { + "name": "ISO27001-2013_A.13.1.3", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.13.1.3" + }, + { + "name": "ISO27001-2013_A.15.1.2", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.15.1.2" + }, + { + "name": "ISO27001-2013_A.18.1.1", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.18.1.1" + } + ], + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "COG-001", + "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-restrict-cog-local-auth", + "parameters": { + "effect": { + "value": "[parameters('COG-001_Effect')]" + } + }, + "groupNames": [ + "ISO27001-2013_A.9.2.3" + ] + }, + { + "policyDefinitionReferenceId": "COG-002", + "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-restrict-cog-public-network-access", + "parameters": { + "effect": { + "value": "[parameters('COG-002_Effect')]" + } + }, + "groupNames": [ + "ISO27001-2013_A.13.1.3" + ] + }, + { + "policyDefinitionReferenceId": "COG-003", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418", + "definitionVersion": "1.0.*", + "parameters": { + "effect": { + "value": "[parameters('COG-003_Effect')]" + } + }, + "groupNames": [ + "ISO27001-2013_A.9.2.3" + ] + }, + { + "policyDefinitionReferenceId": "COG-004", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515", + "definitionVersion": "2.0.*", + "parameters": { + "effect": { + "value": "[parameters('COG-004_Effect')]" + } + }, + "groupNames": [ + "ISO27001-2013_A.9.2.3" + ] + } + ] + } +} diff --git a/tests/policy-integration-tests/cosmos-db/config.json b/tests/policy-integration-tests/cosmos-db/config.json index 2b05638..e2733c2 100644 --- a/tests/policy-integration-tests/cosmos-db/config.json +++ b/tests/policy-integration-tests/cosmos-db/config.json @@ -5,7 +5,9 @@ "/providers/Microsoft.Management/managementGroups/CONTOSO-DEV/providers/Microsoft.Authorization/policyAssignments/pa-d-diag-settings" ], "testName": "CosmosDB", - "assignmentName": "pa-d-cosmos", + "cosmosAssignmentName": "pa-d-cosmos", + "diagSettingsAssignmentName": "pa-d-diag-settings", + "peDNSAssignmentName": "pa-d-pedns", "testSubscription": "sub-d-lz-corp-01", "testResourceGroup": "rg-ae-d-policy-test-cosmos-001", "location": "australiaeast", diff --git a/tests/policy-integration-tests/cosmos-db/tests.ps1 b/tests/policy-integration-tests/cosmos-db/tests.ps1 index be27ace..8b527b0 100644 --- a/tests/policy-integration-tests/cosmos-db/tests.ps1 +++ b/tests/policy-integration-tests/cosmos-db/tests.ps1 @@ -38,7 +38,7 @@ $resourceId = $script:bicepDeploymentOutputs.resourceId.value $diagSettingsPolicyAssignmentId = $script:LocalConfig_policyAssignmentIds | Where-Object { $_ -imatch "$script:LocalConfig_diagSettingsAssignmentName`$" } $peDNSPolicyAssignmentId = $script:LocalConfig_policyAssignmentIds | Where-Object { $_ -imatch "$script:LocalConfig_peDNSAssignmentName`$" } $diagnosticSettingsId = "{0}{1}" -f $resourceId, $script:GlobalConfig_diagnosticSettingsIdSuffix -$cosmosPolicyAssignmentId = $script:LocalConfig_policyAssignmentIds | Where-Object { $_ -imatch "$script:LocalConfig_assignmentName`$" } +$cosmosPolicyAssignmentId = $script:LocalConfig_policyAssignmentIds | Where-Object { $_ -imatch "$script:LocalConfig_cosmosAssignmentName`$" } $privateEndpointResourceId = $script:bicepDeploymentOutputs.privateEndpointResourceId.value $privateEndpointPrivateDNSZoneGroupId = '{0}{1}' -f $privateEndpointResourceId, $script:GlobalConfig_privateEndpointPrivateDNSZoneGroupIdSuffix $violatingPolicies = @( From 34b0acf21381be6711baf0f750f01763594fc383 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 11 May 2026 17:55:06 +1000 Subject: [PATCH 26/46] Add new policy definitions and assignments for Cognitive Services: restrict model formats and names --- policyAssignments/dev/pa-d-cog-service.json | 40 +++++ .../pol-restrict-cog-model-formats.json | 56 +++++++ .../pol-restrict-cog-model-names.json | 66 ++++++++ .../polset-cognitive-service.json | 147 +++++++++++++++++- policyInitiatives/polset-cosmos-db.json | 2 +- .../policy_integration_test_config.jsonc | 2 +- 6 files changed, 305 insertions(+), 8 deletions(-) create mode 100644 policyAssignments/dev/pa-d-cog-service.json create mode 100644 policyDefinitions/cognitive-service/pol-restrict-cog-model-formats.json create mode 100644 policyDefinitions/cognitive-service/pol-restrict-cog-model-names.json diff --git a/policyAssignments/dev/pa-d-cog-service.json b/policyAssignments/dev/pa-d-cog-service.json new file mode 100644 index 0000000..d25301d --- /dev/null +++ b/policyAssignments/dev/pa-d-cog-service.json @@ -0,0 +1,40 @@ +{ + "$schema": "../policyAssignment.schema.json", + "policyAssignment": { + "name": "pa-d-cog-service", + "displayName": "Azure Cognitive Services Policies Dev", + "description": "Policy Assignment for Azure Cognitive Services - Dev", + "metadata": { + "category": "Azure Cognitive Services" + }, + "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policySetDefinitions/polset-cognitive-service", + "identity": "None", + "parameters": { + "COG-001_Effect": { + "value": "Deny" + }, + "COG-002_Effect": { + "value": "Deny" + }, + "COG-003_Effect": { + "value": "Deny" + }, + "COG-004_Effect": { + "value": "Audit" + }, + "COG-005_Effect": { + "value": "Deny" + }, + "COG-005_allowedPublishers": { + "value": [] + }, + "COG-005_allowedAssetIds": { + "value": [] + } + }, + "nonComplianceMessages": [], + "roleDefinitionIds": [] + }, + "definitionSourceManagementGroupId": "/providers/Microsoft.Management/managementGroups/CONTOSO-DEV", + "managementGroupId": "CONTOSO-DEV" +} diff --git a/policyDefinitions/cognitive-service/pol-restrict-cog-model-formats.json b/policyDefinitions/cognitive-service/pol-restrict-cog-model-formats.json new file mode 100644 index 0000000..0c2ca5e --- /dev/null +++ b/policyDefinitions/cognitive-service/pol-restrict-cog-model-formats.json @@ -0,0 +1,56 @@ +{ + "name": "pol-restrict-cog-model-formats", + "properties": { + "displayName": "Cognitive Services accounts should only allow permitted model formats", + "description": "This policy ensures that Cognitive Services accounts only allow model formats that are explicitly permitted.", + "metadata": { + "category": "Cognitive Services", + "version": "1.0.0", + "preview": false, + "deprecated": false + }, + "mode": "All", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "listOfAllowedFormats": { + "type": "Array", + "metadata": { + "description": "The list of Open AI model formats that are allowed.", + "displayName": "Allowed model formats" + }, + "defaultValue": [] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts/deployments" + }, + { + "not": { + "field": "Microsoft.CognitiveServices/accounts/deployments/model.format", + "in": "[parameters('listOfAllowedFormats')]" + } + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} diff --git a/policyDefinitions/cognitive-service/pol-restrict-cog-model-names.json b/policyDefinitions/cognitive-service/pol-restrict-cog-model-names.json new file mode 100644 index 0000000..b60da85 --- /dev/null +++ b/policyDefinitions/cognitive-service/pol-restrict-cog-model-names.json @@ -0,0 +1,66 @@ +{ + "name": "pol-restrict-cog-model-names", + "properties": { + "displayName": "Cognitive Services accounts should only allow permitted model names", + "description": "This policy ensures that Cognitive Services accounts only allow model names that are explicitly permitted.", + "metadata": { + "category": "Cognitive Services", + "version": "1.0.0", + "preview": false, + "deprecated": false + }, + "mode": "All", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "modelFormat": { + "type": "string", + "metadata": { + "description": "The model format that is allowed.", + "displayName": "the format of the model" + } + }, + "listOfAllowedNames": { + "type": "Array", + "metadata": { + "description": "The list of Open AI model names that are allowed.", + "displayName": "Allowed model names" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts/deployments" + }, + { + "field": "Microsoft.CognitiveServices/accounts/deployments/model.format", + "equals": "[parameters('modelFormat')]" + }, + { + "not": { + "field": "Microsoft.CognitiveServices/accounts/deployments/model.name", + "in": "[parameters('listOfAllowedNames')]" + } + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} diff --git a/policyInitiatives/polset-cognitive-service.json b/policyInitiatives/polset-cognitive-service.json index d0a751d..6ace35b 100644 --- a/policyInitiatives/polset-cognitive-service.json +++ b/policyInitiatives/polset-cognitive-service.json @@ -48,13 +48,97 @@ "Disabled" ], "defaultValue": "Deny" + }, + "COG-004_Effect": { + "type": "String", + "metadata": { + "displayName": "COG-004 Effect: Cognitive Services accounts should use customer owned storage", + "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "COG-005_Effect": { + "type": "String", + "metadata": { + "displayName": "COG-005 Effect: Cognitive Services Deployments allowed model formats", + "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "COG-005_allowedFormats": { + "type": "Array", + "defaultValue": [], + "metadata": { + "displayName": "COG-005 Allowed Model Formats", + "description": "List of Model Formats that are allowed to be deployed." + } + }, + "COG-006_Effect": { + "type": "String", + "metadata": { + "displayName": "COG-006 Effect: Cognitive Services Deployments should only use approved Models from OpenAI", + "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "COG-006_allowedNames": { + "type": "Array", + "defaultValue": [], + "metadata": { + "displayName": "COG-006 Allowed Model Names for OpenAI format", + "description": "List of Model Names that are allowed to be deployed." + } + }, + "COG-007_Effect": { + "type": "String", + "metadata": { + "displayName": "COG-007 Effect: Cognitive Services Deployments should only use approved Models from xAI", + "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "COG-007_allowedNames": { + "type": "Array", + "defaultValue": [], + "metadata": { + "displayName": "COG-007 Allowed Model Names for xAI format", + "description": "List of Model Names that are allowed to be deployed." + } } }, "policyDefinitionGroups": [ + { + "name": "ISO27001-2013_A.8.2.3", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.8.2.3" + }, { "name": "ISO27001-2013_A.9.2.3", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.9.2.3" }, + { + "name": "ISO27001-2013_A.9.4.1", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.9.4.1" + }, { "name": "ISO27001-2013_A.10.1.1", "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.10.1.1" @@ -64,12 +148,12 @@ "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.13.1.3" }, { - "name": "ISO27001-2013_A.15.1.2", - "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.15.1.2" + "name": "ISO27001-2013_A.12.5.1", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.12.5.1" }, { - "name": "ISO27001-2013_A.18.1.1", - "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.18.1.1" + "name": "ISO27001-2013_A.14.2.4", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/ISO27001-2013_A.14.2.4" } ], "policyDefinitions": [ @@ -107,7 +191,8 @@ } }, "groupNames": [ - "ISO27001-2013_A.9.2.3" + "ISO27001-2013_A.9.2.3", + "ISO27001-2013_A.9.4.1" ] }, { @@ -120,7 +205,57 @@ } }, "groupNames": [ - "ISO27001-2013_A.9.2.3" + "ISO27001-2013_A.8.2.3" + ] + }, + { + "policyDefinitionReferenceId": "COG-005", + "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-restrict-cog-model-formats", + "parameters": { + "effect": { + "value": "[parameters('COG-005_Effect')]" + }, + "allowedFormats": { + "value": "[parameters('COG-005_allowedFormats')]" + } + }, + "groupNames": [ + "ISO27001-2013_A.12.5.1", + "ISO27001-2013_A.14.2.4" + ] + }, + { + "policyDefinitionReferenceId": "COG-006", + "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-restrict-cog-model-names", + "parameters": { + "effect": { + "value": "[parameters('COG-006_Effect')]" + }, + "modelFormat": "OpenAI", + "allowedNames": { + "value": "[parameters('COG-006_allowedNames')]" + } + }, + "groupNames": [ + "ISO27001-2013_A.12.5.1", + "ISO27001-2013_A.14.2.4" + ] + }, + { + "policyDefinitionReferenceId": "COG-007", + "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-restrict-cog-model-names", + "parameters": { + "effect": { + "value": "[parameters('COG-007_Effect')]" + }, + "modelFormat": "xAI", + "allowedNames": { + "value": "[parameters('COG-006_allowedNames')]" + } + }, + "groupNames": [ + "ISO27001-2013_A.12.5.1", + "ISO27001-2013_A.14.2.4" ] } ] diff --git a/policyInitiatives/polset-cosmos-db.json b/policyInitiatives/polset-cosmos-db.json index ee382a7..6aa411e 100644 --- a/policyInitiatives/polset-cosmos-db.json +++ b/policyInitiatives/polset-cosmos-db.json @@ -156,7 +156,7 @@ { "policyDefinitionReferenceId": "COSMOS-001", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2", - "definitionVersion": "1.1.*", + "definitionVersion": "1.2.*", "parameters": { "effect": { "value": "[parameters('COSMOS-001_Effect')]" diff --git a/tests/policy-integration-tests/.shared/policy_integration_test_config.jsonc b/tests/policy-integration-tests/.shared/policy_integration_test_config.jsonc index aff7750..bc9e328 100644 --- a/tests/policy-integration-tests/.shared/policy_integration_test_config.jsonc +++ b/tests/policy-integration-tests/.shared/policy_integration_test_config.jsonc @@ -40,7 +40,7 @@ "privateEndpointAPIVersion": "2025-05-01", //API version for private endpoints "vnetFlowLogApiVersion": "2024-07-01", //API version for VNet flow logs "appServicesAPIVersion": "2025-03-01", //API version for App Services - "diagnosticSettingsIdSuffix": "/providers/microsoft.insights/diagnosticSettings/setByPolicyLAW", //suffix for the resource ID of the diagnostic settings created by the policy. This is used for testing of the diagnostic settings DINE policies + "diagnosticSettingsIdSuffix": "/providers/microsoft.insights/diagnosticSettings/setByPolicy", //suffix for the resource ID of the diagnostic settings created by the policy. This is used for testing of the diagnostic settings DINE policies "privateEndpointPrivateDNSZoneGroupIdSuffix": "/privateDnsZoneGroups/deployedByPolicy", //suffix for the resource ID of the private DNS zone group created by the policy for private endpoints. This is used for testing of the private endpoint DINE policies //Subscriptions and details about the each subscription used in the tests. This is needed to provide the necessary information for the tests to create and manage resources in the correct subscriptions and resource groups. "subscriptions": { From 36755798b94ae1c4dd1e30f85060f6b70205127d Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 11 May 2026 18:09:07 +1000 Subject: [PATCH 27/46] Update Azure Cognitive Services policy assignments: modify effects and add allowed formats and names --- policyAssignments/dev/pa-d-cog-service.json | 28 ++++++++-- policyAssignments/prod/pa-p-cog-service.json | 58 ++++++++++++++++++++ 2 files changed, 81 insertions(+), 5 deletions(-) create mode 100644 policyAssignments/prod/pa-p-cog-service.json diff --git a/policyAssignments/dev/pa-d-cog-service.json b/policyAssignments/dev/pa-d-cog-service.json index d25301d..2349def 100644 --- a/policyAssignments/dev/pa-d-cog-service.json +++ b/policyAssignments/dev/pa-d-cog-service.json @@ -20,16 +20,34 @@ "value": "Deny" }, "COG-004_Effect": { - "value": "Audit" + "value": "Deny" }, "COG-005_Effect": { "value": "Deny" }, - "COG-005_allowedPublishers": { - "value": [] + "COG-005_allowedFormats": { + "value": [ + "xAI", + "OpenAI" + ] + }, + "COG-006_Effect": { + "value": "Deny" + }, + "COG-006_allowedNames": { + "value": [ + "gpt-4.1", + "gpt-5.4", + "gpt-5.3-codex" + ] + }, + "COG-007_Effect": { + "value": "Deny" }, - "COG-005_allowedAssetIds": { - "value": [] + "COG-007_allowedNames": { + "value": [ + "grok-4-20-reasoning" + ] } }, "nonComplianceMessages": [], diff --git a/policyAssignments/prod/pa-p-cog-service.json b/policyAssignments/prod/pa-p-cog-service.json new file mode 100644 index 0000000..1eb2521 --- /dev/null +++ b/policyAssignments/prod/pa-p-cog-service.json @@ -0,0 +1,58 @@ +{ + "$schema": "../policyAssignment.schema.json", + "policyAssignment": { + "name": "pa-p-cog-service", + "displayName": "Azure Cognitive Services Policies Prod", + "description": "Policy Assignment for Azure Cognitive Services - Prod", + "metadata": { + "category": "Azure Cognitive Services" + }, + "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policySetDefinitions/polset-cognitive-service", + "identity": "None", + "parameters": { + "COG-001_Effect": { + "value": "Deny" + }, + "COG-002_Effect": { + "value": "Deny" + }, + "COG-003_Effect": { + "value": "Deny" + }, + "COG-004_Effect": { + "value": "Deny" + }, + "COG-005_Effect": { + "value": "Deny" + }, + "COG-005_allowedFormats": { + "value": [ + "xAI", + "OpenAI" + ] + }, + "COG-006_Effect": { + "value": "Deny" + }, + "COG-006_allowedNames": { + "value": [ + "gpt-4.1", + "gpt-5.4", + "gpt-5.3-codex" + ] + }, + "COG-007_Effect": { + "value": "Deny" + }, + "COG-007_allowedNames": { + "value": [ + "grok-4-20-reasoning" + ] + } + }, + "nonComplianceMessages": [], + "roleDefinitionIds": [] + }, + "definitionSourceManagementGroupId": "/providers/Microsoft.Management/managementGroups/CONTOSO", + "managementGroupId": "CONTOSO" +} From 078d650f6e038dceb5710fcee290c1dbeceee1b0 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 11 May 2026 19:15:40 +1000 Subject: [PATCH 28/46] Update modelFormat structure in policy definitions for Cognitive Services --- policyInitiatives/polset-cognitive-service.json | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/policyInitiatives/polset-cognitive-service.json b/policyInitiatives/polset-cognitive-service.json index 6ace35b..6cd0d80 100644 --- a/policyInitiatives/polset-cognitive-service.json +++ b/policyInitiatives/polset-cognitive-service.json @@ -231,7 +231,9 @@ "effect": { "value": "[parameters('COG-006_Effect')]" }, - "modelFormat": "OpenAI", + "modelFormat": { + "value": "OpenAI" + }, "allowedNames": { "value": "[parameters('COG-006_allowedNames')]" } @@ -248,7 +250,9 @@ "effect": { "value": "[parameters('COG-007_Effect')]" }, - "modelFormat": "xAI", + "modelFormat": { + "value": "xAI" + }, "allowedNames": { "value": "[parameters('COG-006_allowedNames')]" } From 9ce287a036bb7d4c38bdbdab71e2ff4e9d61aba9 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Mon, 11 May 2026 22:13:59 +1000 Subject: [PATCH 29/46] Rename allowedFormats and allowedNames parameters to listOfAllowedFormats and listOfAllowedNames in policy assignments and initiatives for consistency --- policyAssignments/dev/pa-d-cog-service.json | 6 +++--- policyAssignments/prod/pa-p-cog-service.json | 6 +++--- .../polset-cognitive-service.json | 18 +++++++++--------- 3 files changed, 15 insertions(+), 15 deletions(-) diff --git a/policyAssignments/dev/pa-d-cog-service.json b/policyAssignments/dev/pa-d-cog-service.json index 2349def..4d00771 100644 --- a/policyAssignments/dev/pa-d-cog-service.json +++ b/policyAssignments/dev/pa-d-cog-service.json @@ -25,7 +25,7 @@ "COG-005_Effect": { "value": "Deny" }, - "COG-005_allowedFormats": { + "COG-005_listOfAllowedFormats": { "value": [ "xAI", "OpenAI" @@ -34,7 +34,7 @@ "COG-006_Effect": { "value": "Deny" }, - "COG-006_allowedNames": { + "COG-006_listOfAllowedNames": { "value": [ "gpt-4.1", "gpt-5.4", @@ -44,7 +44,7 @@ "COG-007_Effect": { "value": "Deny" }, - "COG-007_allowedNames": { + "COG-007_listOfAllowedNames": { "value": [ "grok-4-20-reasoning" ] diff --git a/policyAssignments/prod/pa-p-cog-service.json b/policyAssignments/prod/pa-p-cog-service.json index 1eb2521..976d880 100644 --- a/policyAssignments/prod/pa-p-cog-service.json +++ b/policyAssignments/prod/pa-p-cog-service.json @@ -25,7 +25,7 @@ "COG-005_Effect": { "value": "Deny" }, - "COG-005_allowedFormats": { + "COG-005_listOfAllowedFormats": { "value": [ "xAI", "OpenAI" @@ -34,7 +34,7 @@ "COG-006_Effect": { "value": "Deny" }, - "COG-006_allowedNames": { + "COG-006_listOfAllowedNames": { "value": [ "gpt-4.1", "gpt-5.4", @@ -44,7 +44,7 @@ "COG-007_Effect": { "value": "Deny" }, - "COG-007_allowedNames": { + "COG-007_listOfAllowedNames": { "value": [ "grok-4-20-reasoning" ] diff --git a/policyInitiatives/polset-cognitive-service.json b/policyInitiatives/polset-cognitive-service.json index 6cd0d80..45f6164 100644 --- a/policyInitiatives/polset-cognitive-service.json +++ b/policyInitiatives/polset-cognitive-service.json @@ -75,7 +75,7 @@ ], "defaultValue": "Deny" }, - "COG-005_allowedFormats": { + "COG-005_listOfAllowedFormats": { "type": "Array", "defaultValue": [], "metadata": { @@ -96,7 +96,7 @@ ], "defaultValue": "Deny" }, - "COG-006_allowedNames": { + "COG-006_listOfAllowedNames": { "type": "Array", "defaultValue": [], "metadata": { @@ -117,7 +117,7 @@ ], "defaultValue": "Deny" }, - "COG-007_allowedNames": { + "COG-007_listOfAllowedNames": { "type": "Array", "defaultValue": [], "metadata": { @@ -215,8 +215,8 @@ "effect": { "value": "[parameters('COG-005_Effect')]" }, - "allowedFormats": { - "value": "[parameters('COG-005_allowedFormats')]" + "listOfAllowedFormats": { + "value": "[parameters('COG-005_listOfAllowedFormats')]" } }, "groupNames": [ @@ -234,8 +234,8 @@ "modelFormat": { "value": "OpenAI" }, - "allowedNames": { - "value": "[parameters('COG-006_allowedNames')]" + "listOfAllowedNames": { + "value": "[parameters('COG-006_listOfAllowedNames')]" } }, "groupNames": [ @@ -253,8 +253,8 @@ "modelFormat": { "value": "xAI" }, - "allowedNames": { - "value": "[parameters('COG-006_allowedNames')]" + "listOfAllowedNames": { + "value": "[parameters('COG-007_listOfAllowedNames')]" } }, "groupNames": [ From 7b5ab41adb2c295d8151ccbc343da7b2b1a07b1b Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Tue, 12 May 2026 11:56:47 +1000 Subject: [PATCH 30/46] Add integration tests and configuration for Cognitive Services policies --- .../pol-deploy-diag-cosmosDB.json | 9 ++ .../cognitive-service/README.md | 27 ++++ .../cognitive-service/config.json | 16 ++ .../cognitive-service/main.bad.bicep | 68 +++++++++ .../cognitive-service/main.good.bicep | 83 +++++++++++ .../cognitive-service/main.test.bicep | 139 ++++++++++++++++++ .../cognitive-service/tests.ps1 | 90 ++++++++++++ 7 files changed, 432 insertions(+) create mode 100644 tests/policy-integration-tests/cognitive-service/README.md create mode 100644 tests/policy-integration-tests/cognitive-service/config.json create mode 100644 tests/policy-integration-tests/cognitive-service/main.bad.bicep create mode 100644 tests/policy-integration-tests/cognitive-service/main.good.bicep create mode 100644 tests/policy-integration-tests/cognitive-service/main.test.bicep create mode 100644 tests/policy-integration-tests/cognitive-service/tests.ps1 diff --git a/policyDefinitions/diagnostics-settings/pol-deploy-diag-cosmosDB.json b/policyDefinitions/diagnostics-settings/pol-deploy-diag-cosmosDB.json index e028350..e8fb46b 100644 --- a/policyDefinitions/diagnostics-settings/pol-deploy-diag-cosmosDB.json +++ b/policyDefinitions/diagnostics-settings/pol-deploy-diag-cosmosDB.json @@ -180,6 +180,15 @@ "enabled": false }, "timeGrain": null + }, + { + "category": "SLI", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null } ], "logs": [ diff --git a/tests/policy-integration-tests/cognitive-service/README.md b/tests/policy-integration-tests/cognitive-service/README.md new file mode 100644 index 0000000..afb1628 --- /dev/null +++ b/tests/policy-integration-tests/cognitive-service/README.md @@ -0,0 +1,27 @@ +# Policy Integration Test - Policy Integration Test Cases for Cognitive Service + +## Introduction + +This folder contains a sample test case for Cognitive Service related policies. + +The test case is designed to test the following policy assignments: + +| Policy Assignment Name | Policy Assignment Scope | Description | +| :--------------------- | :--------------------- | :---------- | +| `pa-d-cog-service` | `/providers/Microsoft.Management/managementGroups/CONTOSO-DEV` | Policy Assignment for the Azure Cognitive Service initiative | +| `pa-d-pedns` | `/providers/Microsoft.Management/managementGroups/CONTOSO-DEV` | Policy Assignment for Azure Private Endpoint DNS Records Policy Initiative (deploy DNS records for Private Endpoints) | +| `pa-d-diag-settings` | `/providers/Microsoft.Management/managementGroups/CONTOSO-DEV` | Policy Assignment for Azure Diagnostic Settings Policy Initiative (deploy diagnostic settings for all applicable Azure resources) | + +The following policies are in scope for testing: + +| Policy Assignment | Policy Reference ID | Policy Name | Policy Effect | +| :---------------- | :---------------- | :------------ | :------------ | +| `pa-d-cog-service` | `COG-001` | Cognitive Service accounts should have local authentication disabled | Deny | +| `pa-d-cog-service` | `COG-002` | Cognitive Services accounts should restrict public network access | Deny | +| `pa-d-cog-service` | `COG-003` | Cognitive Services accounts should use a managed identity | Deny | +| `pa-d-cog-service` | `COG-004` | Cognitive Services accounts should use customer owned storage | Deny | +| `pa-d-cog-service` | `COG-005` | Cognitive Services Deployments allowed model formats | Deny | +| `pa-d-cog-service` | `COG-006` | Cognitive Services Deployments should only use approved Models from OpenAI | Deny | +| `pa-d-cog-service` | `COG-007` | Cognitive Services Deployments should only use approved Models from xAI | Deny | +| `pa-d-diag-settings` | `DS-013` | Configure Diagnostic Setting for Azure Cognitive Services | DeployIfNotExists | +| `pa-d-pedns` | `PEDNS-016` | Private DNS Record for Azure Cognitive Services PE must exist | DeployIfNotExists | diff --git a/tests/policy-integration-tests/cognitive-service/config.json b/tests/policy-integration-tests/cognitive-service/config.json new file mode 100644 index 0000000..e8eefda --- /dev/null +++ b/tests/policy-integration-tests/cognitive-service/config.json @@ -0,0 +1,16 @@ +{ + "policyAssignmentIds": [ + "/providers/Microsoft.Management/managementGroups/CONTOSO-DEV/providers/Microsoft.Authorization/policyAssignments/pa-d-pedns", + "/providers/Microsoft.Management/managementGroups/CONTOSO-DEV/providers/Microsoft.Authorization/policyAssignments/pa-d-cog-service", + "/providers/Microsoft.Management/managementGroups/CONTOSO-DEV/providers/Microsoft.Authorization/policyAssignments/pa-d-diag-settings" + ], + "testName": "CognitiveService", + "cogServiceAssignmentName": "pa-d-cog-service", + "diagSettingsAssignmentName": "pa-d-diag-settings", + "peDNSAssignmentName": "pa-d-pedns", + "testSubscription": "sub-d-lz-corp-01", + "testResourceGroup": "rg-ae-d-policy-test-cog-service-001", + "location": "australiaeast", + "tagsForResourceGroup": false, + "removeTestResourceGroup": true +} diff --git a/tests/policy-integration-tests/cognitive-service/main.bad.bicep b/tests/policy-integration-tests/cognitive-service/main.bad.bicep new file mode 100644 index 0000000..222df7a --- /dev/null +++ b/tests/policy-integration-tests/cognitive-service/main.bad.bicep @@ -0,0 +1,68 @@ +metadata itemDisplayName = 'Test Template for xxx' +metadata description = 'This template deploys the testing resource for xxx.' +metadata summary = 'Deploys test xxx resources that should violate some policy assignments.' + +// ============ // +// variables // +// ============ // +// Load the configuration file +var globalConfig = loadJsonContent('../.shared/policy_integration_test_config.jsonc') +var localConfig = loadJsonContent('config.json') + +var location = localConfig.location +var namePrefix = globalConfig.namePrefix + +// define template specific variables +var serviceShort = 'cog3' + +resource cognitiveService 'Microsoft.CognitiveServices/accounts@2026-03-01' = { + name: '${namePrefix}${serviceShort}01' + location: location + kind: 'AIServices' + sku: { + name: 'S0' + } + identity: {} //no identity defined, this should violate the policy COG-003 + properties: { + networkAcls: { + defaultAction: 'Allow' + } + publicNetworkAccess: 'Enabled' //this should violate the policy COG-002 + disableLocalAuth: false //this should violate the policy COG-001 + allowProjectManagement: true + customSubDomainName: '${namePrefix}${serviceShort}01' + userOwnedStorage: [] //no user owned storage defined, this should violate the policy COG-004 + } +} + +resource gpt51 'Microsoft.CognitiveServices/accounts/deployments@2026-03-01' = { + name: 'gpt51' + parent: cognitiveService + properties: { + model: { + name: 'gpt-5.1' //this should violate the policy COG-006 since gpt-5.1 is not in the allowed list of models defined in the policy + format: 'OpenAI' + } + } +} + +resource grok4 'Microsoft.CognitiveServices/accounts/deployments@2026-03-01' = { + name: 'grok4' + parent: cognitiveService + properties: { + model: { + name: 'grok-4' //this should violate the policy COG-007 since grok-4 is not in the allowed list of models defined in the policy + format: 'xAI' + } + } +} +resource deepseekr1 'Microsoft.CognitiveServices/accounts/deployments@2026-03-01' = { + name: 'deepseekr1' + parent: cognitiveService + properties: { + model: { + name: 'DeepSeek-R1' + format: 'DeepSeek' //this should violate the policy COG-005 since DeepSeek is not in the allowed list of formats defined in the policy + } + } +} diff --git a/tests/policy-integration-tests/cognitive-service/main.good.bicep b/tests/policy-integration-tests/cognitive-service/main.good.bicep new file mode 100644 index 0000000..1f6adcb --- /dev/null +++ b/tests/policy-integration-tests/cognitive-service/main.good.bicep @@ -0,0 +1,83 @@ +metadata itemDisplayName = 'Test Template for xxxx' +metadata description = 'This template deploys the testing resource for xxxx.' +metadata summary = 'Deploys test xxxx resources that should comply with all policy assignments.' + +// ============ // +// variables // +// ============ // +// Load the configuration file +var globalConfig = loadJsonContent('../.shared/policy_integration_test_config.jsonc') +var localConfig = loadJsonContent('config.json') + +var location = localConfig.location +var namePrefix = globalConfig.namePrefix + +// define template specific variables +var serviceShort = 'cog2' + +resource cognitiveService 'Microsoft.CognitiveServices/accounts@2026-03-01' = { + name: '${namePrefix}${serviceShort}01' + location: location + kind: 'AIServices' + sku: { + name: 'S0' + } + identity: { + type: 'SystemAssigned' + } //identity defined, this should comply with the policy COG-003 + properties: { + networkAcls: { + defaultAction: 'Deny' + } + publicNetworkAccess: 'Disabled' //this should comply with the policy COG-002 + disableLocalAuth: true //this should comply with the policy COG-001 + allowProjectManagement: true + customSubDomainName: '${namePrefix}${serviceShort}01' + userOwnedStorage: [ + { + resourceId: storage.id + } + ] //user owned storage defined, this should comply with the policy COG-004 + } +} +resource gpt41 'Microsoft.CognitiveServices/accounts/deployments@2026-03-01' = { + name: 'gpt41' + parent: cognitiveService + properties: { + model: { + name: 'gpt-4.1' + format: 'OpenAI' + } + } +} + +resource grok420reasoning 'Microsoft.CognitiveServices/accounts/deployments@2026-03-01' = { + name: 'grok-4-20-reasoning' + parent: cognitiveService + properties: { + model: { + name: 'grok-4' + format: 'xAI' + } + } +} + +resource storage 'Microsoft.Storage/storageAccounts@2026-04-01' = { + name: 'sa${namePrefix}${serviceShort}' + location: location + sku: { + name: 'Standard_LRS' + } + kind: 'StorageV2' + properties: { + networkAcls: { + defaultAction: 'Deny' + } + publicNetworkAccess: 'Disabled' + allowCrossTenantReplication: false + allowedCopyScope: 'AAD' + allowSharedKeyAccess: false + minimumTlsVersion: 'TLS1_2' + supportsHttpsTrafficOnly: true + } +} diff --git a/tests/policy-integration-tests/cognitive-service/main.test.bicep b/tests/policy-integration-tests/cognitive-service/main.test.bicep new file mode 100644 index 0000000..26643d4 --- /dev/null +++ b/tests/policy-integration-tests/cognitive-service/main.test.bicep @@ -0,0 +1,139 @@ +metadata itemDisplayName = 'Test Template for xxx' +metadata description = 'This template deploys the testing resource for xxx.' +metadata summary = 'Deploys test xxx resources.' + +// ============ // +// variables // +// ============ // +// Load the configuration file +var globalConfig = loadJsonContent('../.shared/policy_integration_test_config.jsonc') +var localConfig = loadJsonContent('config.json') +//Define required variables from the configuration files - change these based on your requirements +var tags = globalConfig.tags +var location = localConfig.location +var namePrefix = globalConfig.namePrefix +var subName = localConfig.testSubscription +var vnetResourceGroup = globalConfig.subscriptions[subName].networkResourceGroup +var vnetName = globalConfig.subscriptions[subName].vNet +var peSubnetName = globalConfig.subscriptions[subName].peSubnet +var resourceSubnetName = globalConfig.subscriptions[subName].resourceSubnet + +var serviceShort = 'cog1' //use this to form the name of the resources deployed by this template. This is helpful to identify the resource in the portal and also useful if you want to have a policy that targets specific resources by name. For example, if you have a policy that audits whether storage accounts have secure transfer enabled, you can set serviceShort to 'st' and then in the policy definition, you can target resources with name starting with 'st' to only audit the storage accounts deployed by this test template. + +// ============ // +// resources // +// ============ // +resource vnet 'Microsoft.Network/virtualNetworks@2025-05-01' existing = { + name: vnetName + scope: az.resourceGroup(vnetResourceGroup) + + resource peSubnet 'subnets' existing = { name: peSubnetName } +} + +resource cognitiveService 'Microsoft.CognitiveServices/accounts@2026-03-01' = { + name: '${namePrefix}${serviceShort}01' + location: location + tags: tags + kind: 'AIServices' + sku: { + name: 'S0' + } + identity: { + type: 'SystemAssigned' + } + properties: { + networkAcls: { + defaultAction: 'Deny' + } + publicNetworkAccess: 'Disabled' + disableLocalAuth: true + allowProjectManagement: true + customSubDomainName: '${namePrefix}${serviceShort}01' + userOwnedStorage: [ + { + resourceId: storage.id + } + ] + } +} + +resource pe 'Microsoft.Network/privateEndpoints@2025-05-01' = { + name: 'pe-${namePrefix}${serviceShort}-cognitive' + location: location + tags: tags + properties: { + subnet: { + id: vnet::peSubnet.id + } + privateLinkServiceConnections: [ + { + name: 'pe-${namePrefix}${serviceShort}-cognitive' + properties: { + privateLinkServiceId: cognitiveService.id + groupIds: [ + 'account' + ] + } + } + ] + } +} + +resource storage 'Microsoft.Storage/storageAccounts@2026-04-01' = { + name: 'sa${namePrefix}${serviceShort}' + location: location + tags: tags + sku: { + name: 'Standard_LRS' + } + kind: 'StorageV2' + properties: { + networkAcls: { + defaultAction: 'Deny' + } + publicNetworkAccess: 'Disabled' + allowCrossTenantReplication: false + allowedCopyScope: 'AAD' + allowSharedKeyAccess: false + minimumTlsVersion: 'TLS1_2' + supportsHttpsTrafficOnly: true + } +} + +resource storagePe 'Microsoft.Network/privateEndpoints@2025-05-01' = { + name: 'pe-sa${namePrefix}${serviceShort}-blob' + location: location + tags: tags + properties: { + subnet: { + id: vnet::peSubnet.id + } + privateLinkServiceConnections: [ + { + name: 'pe-sa${namePrefix}${serviceShort}-blob' + properties: { + privateLinkServiceId: storage.id + groupIds: [ + 'blob' + ] + } + } + ] + } +} +resource storageRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(cognitiveService.id, storage.id, 'Storage Blob Data Contributor') + properties: { + roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe' //Storage Blob Data Contributor + principalId: cognitiveService.identity.principalId + principalType: 'ServicePrincipal' + } +} +// ============ // +// outputs // +// ============ // +//Specify the outputs that are required for the test +output name string = cognitiveService.name +output resourceId string = cognitiveService.id +output privateEndpointResourceId string = pe.id +output location string = cognitiveService.location diff --git a/tests/policy-integration-tests/cognitive-service/tests.ps1 b/tests/policy-integration-tests/cognitive-service/tests.ps1 new file mode 100644 index 0000000..8d15163 --- /dev/null +++ b/tests/policy-integration-tests/cognitive-service/tests.ps1 @@ -0,0 +1,90 @@ +#region generic sections for all tests +#Requires -Modules Az.Accounts, Az.PolicyInsights, Az.Resources +#Requires -Version 7.0 + +using module AzResourceTest + +$helperFunctionScriptPath = (resolve-path -relativeBasePath $PSScriptRoot -path '../../../scripts/pipelines/helper/helper-functions.ps1').Path + +#load helper +. $helperFunctionScriptPath + +#Run initiate-test script to set environment variables for test configuration and deployment +$globalConfigFilePath = (resolve-path -RelativeBasePath $PSScriptRoot -path '../.shared/policy_integration_test_config.jsonc').Path +$TestDirectory = $PSScriptRoot +Write-Output "Initiating test with global config file: $globalConfigFilePath and test directory: $TestDirectory" +$initiateTestScriptPath = (resolve-path -RelativeBasePath $PSScriptRoot -path '../.shared/initiate-test.ps1').Path +. $initiateTestScriptPath -globalConfigFilePath $globalConfigFilePath -TestDirectory $TestDirectory + +# Refer to the ../../docs/policy-integration-test-get-started.md for details on the expected variables to be set by the initiate-test script and the structure of those variables. +#endregion + +#region defining tests +<# +The following policy definitions are tested:. + - refer to the README.md in this directory for the list of policies being tested in this test suite and the expected compliance status of each policy. +#> +$resourceId = $script:bicepDeploymentOutputs.resourceId.value +$diagSettingsPolicyAssignmentId = $script:LocalConfig_policyAssignmentIds | Where-Object { $_ -imatch "$script:LocalConfig_diagSettingsAssignmentName`$" } +$peDNSPolicyAssignmentId = $script:LocalConfig_policyAssignmentIds | Where-Object { $_ -imatch "$script:LocalConfig_peDNSAssignmentName`$" } +$diagnosticSettingsId = "{0}{1}" -f $resourceId, $script:GlobalConfig_diagnosticSettingsIdSuffix +$cogServicePolicyAssignmentId = $script:LocalConfig_policyAssignmentIds | Where-Object { $_ -imatch "$script:LocalConfig_cogServiceAssignmentName`$" } +$privateEndpointResourceId = $script:bicepDeploymentOutputs.privateEndpointResourceId.value +$privateEndpointPrivateDNSZoneGroupId = '{0}{1}' -f $privateEndpointResourceId, $script:GlobalConfig_privateEndpointPrivateDNSZoneGroupIdSuffix +$violatingPolicies = @( + @{ + policyAssignmentId = $cogServicePolicyAssignmentId + policyDefinitionReferenceId = 'COG-001' + } + @{ + policyAssignmentId = $cogServicePolicyAssignmentId + policyDefinitionReferenceId = 'COG-002' + } + @{ + policyAssignmentId = $cogServicePolicyAssignmentId + policyDefinitionReferenceId = 'COG-003' + } + @{ + policyAssignmentId = $cogServicePolicyAssignmentId + policyDefinitionReferenceId = 'COG-004' + } + @{ + policyAssignmentId = $cogServicePolicyAssignmentId + policyDefinitionReferenceId = 'COG-005' + } + @{ + policyAssignmentId = $cogServicePolicyAssignmentId + policyDefinitionReferenceId = 'COG-006' + } + @{ + policyAssignmentId = $cogServicePolicyAssignmentId + policyDefinitionReferenceId = 'COG-007' + } +) +#define tests +$tests = @() + +#DeployIfNotExists Policies +$tests += New-ARTResourceExistenceTestConfig 'DS-013: Deploy Diagnostic Settings for Cognitive Service to Log Analytics workspace.' $script:token $diagnosticSettingsId 'exists' $script:GlobalConfig_diagnosticSettingsAPIVersion +$tests += New-ARTPolicyStateTestConfig 'DS-013: Diagnostic Settings Policy Must Be Compliant' $script:token $resourceId $diagSettingsPolicyAssignmentId 'Compliant' 'DS-013' +$tests += New-ARTResourceExistenceTestConfig 'PEDNS-016: Private DNS Record for Azure Cognitive Service PE must exist' $script:token $privateEndpointPrivateDNSZoneGroupId 'exists' $script:GlobalConfig_privateDNSZoneGroupAPIVersion +$tests += New-ARTPolicyStateTestConfig 'PEDNS-016: Private DNS Record Policy Must Be Compliant' $script:token $privateEndpointResourceId $peDNSPolicyAssignmentId 'Compliant' 'PEDNS-016' + +#Deny policies (testing both positive and negative scenarios) +$tests += New-ARTWhatIfDeploymentTestConfig 'Policy abiding deployment should succeed' $script:token $script:whatIfComplyBicepTemplatePath $script:bicepDeploymentResult.bicepDeploymentTarget 'Succeeded' -maxRetry $script:GlobalConfig_whatIfMaxRetry +$tests += New-ARTWhatIfDeploymentTestConfig 'Policy violating deployment should fail' $script:token $script:whatIfViolateBicepTemplatePath $script:bicepDeploymentResult.bicepDeploymentTarget 'Failed' $violatingPolicies -maxRetry $script:GlobalConfig_whatIfMaxRetry +# +#endregion + +#region Invoke tests - do not modify +$params = @{ + tests = $tests + testTitle = $script:testTitle + contextTitle = $script:contextTitle + testSuiteName = $script:testSuiteName + OutputFile = $script:outputFilePath + OutputFormat = $script:GlobalConfig_testOutputFormat +} +Test-ARTResourceConfiguration @params + +#endregion From c4f3b7747045e148967c49b632b2287a789f8ca4 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Tue, 12 May 2026 12:09:11 +1000 Subject: [PATCH 31/46] Update resource identifiers in Azure Private Endpoint DNS Records policy initiative --- policyInitiatives/polset-pedns.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/policyInitiatives/polset-pedns.json b/policyInitiatives/polset-pedns.json index bd8dd1b..ace7d2d 100755 --- a/policyInitiatives/polset-pedns.json +++ b/policyInitiatives/polset-pedns.json @@ -617,7 +617,7 @@ "value": "[parameters('evaluationDelay')]" }, "groupId": { - "value": "AzureBackup" + "value": "account" }, "resourceLocation": { "value": "australiaeast" @@ -626,7 +626,7 @@ "value": "[concat(array(concat(parameters('privateDnsZoneResourceGroup'), '/providers/Microsoft.Network/privateDnsZones/', 'privatelink.cognitiveservices.azure.com')), array(concat(parameters('privateDnsZoneResourceGroup'), '/providers/Microsoft.Network/privateDnsZones/', 'privatelink.openai.azure.com')), array(concat(parameters('privateDnsZoneResourceGroup'), '/providers/Microsoft.Network/privateDnsZones/', 'privatelink.services.ai.azure.com')))]" }, "privateLinkServiceResourceType": { - "value": "Microsoft.RecoveryServices/vaults" + "value": "Microsoft.CognitiveServices/accounts" } }, "groupNames": [ From 6aadf695b048527d581386fa3639d939b79c65f5 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Tue, 12 May 2026 12:22:25 +1000 Subject: [PATCH 32/46] Update storage account API version to 2025-08-01 in integration test templates --- .../policy-integration-tests/cognitive-service/main.good.bicep | 2 +- .../policy-integration-tests/cognitive-service/main.test.bicep | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/policy-integration-tests/cognitive-service/main.good.bicep b/tests/policy-integration-tests/cognitive-service/main.good.bicep index 1f6adcb..7caddc6 100644 --- a/tests/policy-integration-tests/cognitive-service/main.good.bicep +++ b/tests/policy-integration-tests/cognitive-service/main.good.bicep @@ -62,7 +62,7 @@ resource grok420reasoning 'Microsoft.CognitiveServices/accounts/deployments@2026 } } -resource storage 'Microsoft.Storage/storageAccounts@2026-04-01' = { +resource storage 'Microsoft.Storage/storageAccounts@2025-08-01' = { name: 'sa${namePrefix}${serviceShort}' location: location sku: { diff --git a/tests/policy-integration-tests/cognitive-service/main.test.bicep b/tests/policy-integration-tests/cognitive-service/main.test.bicep index 26643d4..c83da0f 100644 --- a/tests/policy-integration-tests/cognitive-service/main.test.bicep +++ b/tests/policy-integration-tests/cognitive-service/main.test.bicep @@ -79,7 +79,7 @@ resource pe 'Microsoft.Network/privateEndpoints@2025-05-01' = { } } -resource storage 'Microsoft.Storage/storageAccounts@2026-04-01' = { +resource storage 'Microsoft.Storage/storageAccounts@2025-08-01' = { name: 'sa${namePrefix}${serviceShort}' location: location tags: tags From 2af5d5d8a1525b32c52a18a1becb74331b4ad7bd Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Tue, 12 May 2026 12:34:19 +1000 Subject: [PATCH 33/46] Remove unused variable resourceSubnetName from cognitive service test template --- tests/policy-integration-tests/cognitive-service/main.test.bicep | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/policy-integration-tests/cognitive-service/main.test.bicep b/tests/policy-integration-tests/cognitive-service/main.test.bicep index c83da0f..7ef9759 100644 --- a/tests/policy-integration-tests/cognitive-service/main.test.bicep +++ b/tests/policy-integration-tests/cognitive-service/main.test.bicep @@ -16,7 +16,6 @@ var subName = localConfig.testSubscription var vnetResourceGroup = globalConfig.subscriptions[subName].networkResourceGroup var vnetName = globalConfig.subscriptions[subName].vNet var peSubnetName = globalConfig.subscriptions[subName].peSubnet -var resourceSubnetName = globalConfig.subscriptions[subName].resourceSubnet var serviceShort = 'cog1' //use this to form the name of the resources deployed by this template. This is helpful to identify the resource in the portal and also useful if you want to have a policy that targets specific resources by name. For example, if you have a policy that audits whether storage accounts have secure transfer enabled, you can set serviceShort to 'st' and then in the policy definition, you can target resources with name starting with 'st' to only audit the storage accounts deployed by this test template. From ff400fe37d841e2097abe89bd9070f02d5c068b6 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Tue, 12 May 2026 14:25:17 +1000 Subject: [PATCH 34/46] Enhance Cosmos DB policy to include capability checks and update policy definition reference --- .../pol-audit-deny-cdb-local-auth.json | 19 +++++++++++++++++-- policyInitiatives/polset-cosmos-db.json | 3 +-- .../cosmos-db/main.bad.bicep | 1 + 3 files changed, 19 insertions(+), 4 deletions(-) diff --git a/policyDefinitions/cosmos-db/pol-audit-deny-cdb-local-auth.json b/policyDefinitions/cosmos-db/pol-audit-deny-cdb-local-auth.json index e1e7ee8..10fbcf5 100644 --- a/policyDefinitions/cosmos-db/pol-audit-deny-cdb-local-auth.json +++ b/policyDefinitions/cosmos-db/pol-audit-deny-cdb-local-auth.json @@ -7,8 +7,7 @@ "category": "Cosmos DB", "version": "1.0.0", "preview": false, - "deprecated": false, - "source_builtIn_name": "5450f5bd-9c72-4390-a9c4-a7aba4edfdd2" + "deprecated": false }, "mode": "Indexed", "parameters": { @@ -36,6 +35,22 @@ { "field": "Microsoft.DocumentDB/databaseAccounts/disableLocalAuth", "notEquals": true + }, + { + "anyOf": [ + { + "field": "Microsoft.DocumentDB/databaseAccounts/capabilities[*].name", + "notin": [ + "EnableMongo", + "EnableCassandra", + "EnableGremlin" + ] + }, + { + "field": "Microsoft.DocumentDB/databaseAccounts/capabilities", + "exists": false + } + ] } ] }, diff --git a/policyInitiatives/polset-cosmos-db.json b/policyInitiatives/polset-cosmos-db.json index 6aa411e..45317ba 100644 --- a/policyInitiatives/polset-cosmos-db.json +++ b/policyInitiatives/polset-cosmos-db.json @@ -155,8 +155,7 @@ "policyDefinitions": [ { "policyDefinitionReferenceId": "COSMOS-001", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2", - "definitionVersion": "1.2.*", + "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-audit-deny-cdb-local-auth", "parameters": { "effect": { "value": "[parameters('COSMOS-001_Effect')]" diff --git a/tests/policy-integration-tests/cosmos-db/main.bad.bicep b/tests/policy-integration-tests/cosmos-db/main.bad.bicep index a501b41..8029c22 100644 --- a/tests/policy-integration-tests/cosmos-db/main.bad.bicep +++ b/tests/policy-integration-tests/cosmos-db/main.bad.bicep @@ -31,6 +31,7 @@ resource cosmosDb 'Microsoft.DocumentDB/databaseAccounts@2025-11-01-preview' = { isZoneRedundant: false } ] + capabilities: [] databaseAccountOfferType: 'Standard' disableLocalAuth: false // this should violate the policy COSMOS-001 enableMultipleWriteLocations: false From 29be506958b2577c887d23b8ef222655e81420da Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Tue, 12 May 2026 14:55:54 +1000 Subject: [PATCH 35/46] Refactor Cognitive Services policy assignments to update allowed model names and enhance test templates --- policyAssignments/dev/pa-d-cog-service.json | 2 +- policyAssignments/prod/pa-p-cog-service.json | 2 +- .../cognitive-service/main.bad.bicep | 16 ++++++++++++---- .../cognitive-service/main.good.bicep | 12 ++++++++++-- 4 files changed, 24 insertions(+), 8 deletions(-) diff --git a/policyAssignments/dev/pa-d-cog-service.json b/policyAssignments/dev/pa-d-cog-service.json index 4d00771..85a9891 100644 --- a/policyAssignments/dev/pa-d-cog-service.json +++ b/policyAssignments/dev/pa-d-cog-service.json @@ -46,7 +46,7 @@ }, "COG-007_listOfAllowedNames": { "value": [ - "grok-4-20-reasoning" + "grok-4" ] } }, diff --git a/policyAssignments/prod/pa-p-cog-service.json b/policyAssignments/prod/pa-p-cog-service.json index 976d880..ea3369d 100644 --- a/policyAssignments/prod/pa-p-cog-service.json +++ b/policyAssignments/prod/pa-p-cog-service.json @@ -46,7 +46,7 @@ }, "COG-007_listOfAllowedNames": { "value": [ - "grok-4-20-reasoning" + "grok-4" ] } }, diff --git a/tests/policy-integration-tests/cognitive-service/main.bad.bicep b/tests/policy-integration-tests/cognitive-service/main.bad.bicep index 222df7a..0a84d40 100644 --- a/tests/policy-integration-tests/cognitive-service/main.bad.bicep +++ b/tests/policy-integration-tests/cognitive-service/main.bad.bicep @@ -22,7 +22,7 @@ resource cognitiveService 'Microsoft.CognitiveServices/accounts@2026-03-01' = { sku: { name: 'S0' } - identity: {} //no identity defined, this should violate the policy COG-003 + //identity: {} //no identity defined, this should violate the policy COG-003 properties: { networkAcls: { defaultAction: 'Allow' @@ -38,6 +38,10 @@ resource cognitiveService 'Microsoft.CognitiveServices/accounts@2026-03-01' = { resource gpt51 'Microsoft.CognitiveServices/accounts/deployments@2026-03-01' = { name: 'gpt51' parent: cognitiveService + sku: { + name: 'GlobalStandard' + capacity: 1 + } properties: { model: { name: 'gpt-5.1' //this should violate the policy COG-006 since gpt-5.1 is not in the allowed list of models defined in the policy @@ -46,12 +50,16 @@ resource gpt51 'Microsoft.CognitiveServices/accounts/deployments@2026-03-01' = { } } -resource grok4 'Microsoft.CognitiveServices/accounts/deployments@2026-03-01' = { - name: 'grok4' +resource grok3 'Microsoft.CognitiveServices/accounts/deployments@2026-03-01' = { + name: 'grok3' parent: cognitiveService + sku: { + name: 'GlobalStandard' + capacity: 1 + } properties: { model: { - name: 'grok-4' //this should violate the policy COG-007 since grok-4 is not in the allowed list of models defined in the policy + name: 'grok-3' //this should violate the policy COG-007 since grok-3 is not in the allowed list of models defined in the policy format: 'xAI' } } diff --git a/tests/policy-integration-tests/cognitive-service/main.good.bicep b/tests/policy-integration-tests/cognitive-service/main.good.bicep index 7caddc6..464c4a2 100644 --- a/tests/policy-integration-tests/cognitive-service/main.good.bicep +++ b/tests/policy-integration-tests/cognitive-service/main.good.bicep @@ -43,6 +43,10 @@ resource cognitiveService 'Microsoft.CognitiveServices/accounts@2026-03-01' = { resource gpt41 'Microsoft.CognitiveServices/accounts/deployments@2026-03-01' = { name: 'gpt41' parent: cognitiveService + sku: { + name: 'GlobalStandard' + capacity: 1 + } properties: { model: { name: 'gpt-4.1' @@ -51,9 +55,13 @@ resource gpt41 'Microsoft.CognitiveServices/accounts/deployments@2026-03-01' = { } } -resource grok420reasoning 'Microsoft.CognitiveServices/accounts/deployments@2026-03-01' = { - name: 'grok-4-20-reasoning' +resource grok4 'Microsoft.CognitiveServices/accounts/deployments@2026-03-01' = { + name: 'grok-4' parent: cognitiveService + sku: { + name: 'GlobalStandard' + capacity: 1 + } properties: { model: { name: 'grok-4' From 444b7b825458672a39f54b90334cf3035ddbdd96 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Tue, 12 May 2026 16:07:52 +1000 Subject: [PATCH 36/46] Refactor policy rule in Cosmos DB audit policy to check for capabilities count instead of existence --- .../cosmos-db/pol-audit-deny-cdb-local-auth.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/policyDefinitions/cosmos-db/pol-audit-deny-cdb-local-auth.json b/policyDefinitions/cosmos-db/pol-audit-deny-cdb-local-auth.json index 10fbcf5..e42a184 100644 --- a/policyDefinitions/cosmos-db/pol-audit-deny-cdb-local-auth.json +++ b/policyDefinitions/cosmos-db/pol-audit-deny-cdb-local-auth.json @@ -47,8 +47,10 @@ ] }, { - "field": "Microsoft.DocumentDB/databaseAccounts/capabilities", - "exists": false + "count":{ + "field":"Microsoft.DocumentDB/databaseAccounts/capabilities[*]" + }, + "equals":0 } ] } From e6363768b53d0f9f010bda458bdd3760bea55ad6 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Tue, 12 May 2026 16:28:42 +1000 Subject: [PATCH 37/46] Add unique suffix to Cognitive Service account names in test templates --- .../cognitive-service/main.bad.bicep | 11 +++++++++-- .../cognitive-service/main.good.bicep | 9 ++++++++- .../cognitive-service/main.test.bicep | 16 +++++++++++----- 3 files changed, 28 insertions(+), 8 deletions(-) diff --git a/tests/policy-integration-tests/cognitive-service/main.bad.bicep b/tests/policy-integration-tests/cognitive-service/main.bad.bicep index 0a84d40..32b9654 100644 --- a/tests/policy-integration-tests/cognitive-service/main.bad.bicep +++ b/tests/policy-integration-tests/cognitive-service/main.bad.bicep @@ -2,6 +2,12 @@ metadata itemDisplayName = 'Test Template for xxx' metadata description = 'This template deploys the testing resource for xxx.' metadata summary = 'Deploys test xxx resources that should violate some policy assignments.' +// ========== // +// Parameters // +// ========== // +@description('Optional. Get current time stamp. This is used to generate unique name for Cognitive Service account. DO NOT provide a value.') +param now string = utcNow() + // ============ // // variables // // ============ // @@ -11,12 +17,13 @@ var localConfig = loadJsonContent('config.json') var location = localConfig.location var namePrefix = globalConfig.namePrefix +var cognitiveServiceAccountNameSuffix = substring((uniqueString(now, location)), 0, 5) // define template specific variables var serviceShort = 'cog3' resource cognitiveService 'Microsoft.CognitiveServices/accounts@2026-03-01' = { - name: '${namePrefix}${serviceShort}01' + name: '${namePrefix}${serviceShort}${cognitiveServiceAccountNameSuffix}01' location: location kind: 'AIServices' sku: { @@ -30,7 +37,7 @@ resource cognitiveService 'Microsoft.CognitiveServices/accounts@2026-03-01' = { publicNetworkAccess: 'Enabled' //this should violate the policy COG-002 disableLocalAuth: false //this should violate the policy COG-001 allowProjectManagement: true - customSubDomainName: '${namePrefix}${serviceShort}01' + customSubDomainName: '${namePrefix}${serviceShort}${cognitiveServiceAccountNameSuffix}01' userOwnedStorage: [] //no user owned storage defined, this should violate the policy COG-004 } } diff --git a/tests/policy-integration-tests/cognitive-service/main.good.bicep b/tests/policy-integration-tests/cognitive-service/main.good.bicep index 464c4a2..6697cd8 100644 --- a/tests/policy-integration-tests/cognitive-service/main.good.bicep +++ b/tests/policy-integration-tests/cognitive-service/main.good.bicep @@ -2,6 +2,12 @@ metadata itemDisplayName = 'Test Template for xxxx' metadata description = 'This template deploys the testing resource for xxxx.' metadata summary = 'Deploys test xxxx resources that should comply with all policy assignments.' +// ========== // +// Parameters // +// ========== // +@description('Optional. Get current time stamp. This is used to generate unique name for Cognitive Service account. DO NOT provide a value.') +param now string = utcNow() + // ============ // // variables // // ============ // @@ -11,12 +17,13 @@ var localConfig = loadJsonContent('config.json') var location = localConfig.location var namePrefix = globalConfig.namePrefix +var cognitiveServiceAccountNameSuffix = substring((uniqueString(now, location)), 0, 5) // define template specific variables var serviceShort = 'cog2' resource cognitiveService 'Microsoft.CognitiveServices/accounts@2026-03-01' = { - name: '${namePrefix}${serviceShort}01' + name: '${namePrefix}${serviceShort}${cognitiveServiceAccountNameSuffix}01' location: location kind: 'AIServices' sku: { diff --git a/tests/policy-integration-tests/cognitive-service/main.test.bicep b/tests/policy-integration-tests/cognitive-service/main.test.bicep index 7ef9759..496b053 100644 --- a/tests/policy-integration-tests/cognitive-service/main.test.bicep +++ b/tests/policy-integration-tests/cognitive-service/main.test.bicep @@ -2,6 +2,12 @@ metadata itemDisplayName = 'Test Template for xxx' metadata description = 'This template deploys the testing resource for xxx.' metadata summary = 'Deploys test xxx resources.' +// ========== // +// Parameters // +// ========== // +@description('Optional. Get current time stamp. This is used to generate unique name for Cognitive Service account. DO NOT provide a value.') +param now string = utcNow() + // ============ // // variables // // ============ // @@ -16,7 +22,7 @@ var subName = localConfig.testSubscription var vnetResourceGroup = globalConfig.subscriptions[subName].networkResourceGroup var vnetName = globalConfig.subscriptions[subName].vNet var peSubnetName = globalConfig.subscriptions[subName].peSubnet - +var cognitiveServiceAccountNameSuffix = substring((uniqueString(now, location)), 0, 5) var serviceShort = 'cog1' //use this to form the name of the resources deployed by this template. This is helpful to identify the resource in the portal and also useful if you want to have a policy that targets specific resources by name. For example, if you have a policy that audits whether storage accounts have secure transfer enabled, you can set serviceShort to 'st' and then in the policy definition, you can target resources with name starting with 'st' to only audit the storage accounts deployed by this test template. // ============ // @@ -30,7 +36,7 @@ resource vnet 'Microsoft.Network/virtualNetworks@2025-05-01' existing = { } resource cognitiveService 'Microsoft.CognitiveServices/accounts@2026-03-01' = { - name: '${namePrefix}${serviceShort}01' + name: '${namePrefix}${serviceShort}${cognitiveServiceAccountNameSuffix}01' location: location tags: tags kind: 'AIServices' @@ -47,7 +53,7 @@ resource cognitiveService 'Microsoft.CognitiveServices/accounts@2026-03-01' = { publicNetworkAccess: 'Disabled' disableLocalAuth: true allowProjectManagement: true - customSubDomainName: '${namePrefix}${serviceShort}01' + customSubDomainName: '${namePrefix}${serviceShort}${cognitiveServiceAccountNameSuffix}01' userOwnedStorage: [ { resourceId: storage.id @@ -57,7 +63,7 @@ resource cognitiveService 'Microsoft.CognitiveServices/accounts@2026-03-01' = { } resource pe 'Microsoft.Network/privateEndpoints@2025-05-01' = { - name: 'pe-${namePrefix}${serviceShort}-cognitive' + name: 'pe-${namePrefix}${serviceShort}${cognitiveServiceAccountNameSuffix}-cognitive' location: location tags: tags properties: { @@ -66,7 +72,7 @@ resource pe 'Microsoft.Network/privateEndpoints@2025-05-01' = { } privateLinkServiceConnections: [ { - name: 'pe-${namePrefix}${serviceShort}-cognitive' + name: 'pe-${namePrefix}${serviceShort}${cognitiveServiceAccountNameSuffix}-cognitive' properties: { privateLinkServiceId: cognitiveService.id groupIds: [ From 612b1ff3351de618808fcf611694029d2987e469 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Tue, 12 May 2026 18:04:37 +1000 Subject: [PATCH 38/46] Update Cognitive Services and Cosmos DB resource definitions to use latest API versions and remove unnecessary parameters --- .../cognitive-service/main.bad.bicep | 19 ++++++------------- .../cognitive-service/main.good.bicep | 15 ++++----------- .../cosmos-db/main.bad.bicep | 4 ++-- 3 files changed, 12 insertions(+), 26 deletions(-) diff --git a/tests/policy-integration-tests/cognitive-service/main.bad.bicep b/tests/policy-integration-tests/cognitive-service/main.bad.bicep index 32b9654..343e3e9 100644 --- a/tests/policy-integration-tests/cognitive-service/main.bad.bicep +++ b/tests/policy-integration-tests/cognitive-service/main.bad.bicep @@ -2,12 +2,6 @@ metadata itemDisplayName = 'Test Template for xxx' metadata description = 'This template deploys the testing resource for xxx.' metadata summary = 'Deploys test xxx resources that should violate some policy assignments.' -// ========== // -// Parameters // -// ========== // -@description('Optional. Get current time stamp. This is used to generate unique name for Cognitive Service account. DO NOT provide a value.') -param now string = utcNow() - // ============ // // variables // // ============ // @@ -17,13 +11,12 @@ var localConfig = loadJsonContent('config.json') var location = localConfig.location var namePrefix = globalConfig.namePrefix -var cognitiveServiceAccountNameSuffix = substring((uniqueString(now, location)), 0, 5) // define template specific variables var serviceShort = 'cog3' -resource cognitiveService 'Microsoft.CognitiveServices/accounts@2026-03-01' = { - name: '${namePrefix}${serviceShort}${cognitiveServiceAccountNameSuffix}01' +resource cognitiveService 'Microsoft.CognitiveServices/accounts@2025-12-01' = { + name: '${namePrefix}${serviceShort}01' location: location kind: 'AIServices' sku: { @@ -37,12 +30,12 @@ resource cognitiveService 'Microsoft.CognitiveServices/accounts@2026-03-01' = { publicNetworkAccess: 'Enabled' //this should violate the policy COG-002 disableLocalAuth: false //this should violate the policy COG-001 allowProjectManagement: true - customSubDomainName: '${namePrefix}${serviceShort}${cognitiveServiceAccountNameSuffix}01' + customSubDomainName: '${namePrefix}${serviceShort}01' userOwnedStorage: [] //no user owned storage defined, this should violate the policy COG-004 } } -resource gpt51 'Microsoft.CognitiveServices/accounts/deployments@2026-03-01' = { +resource gpt51 'Microsoft.CognitiveServices/accounts/deployments@2025-12-01' = { name: 'gpt51' parent: cognitiveService sku: { @@ -57,7 +50,7 @@ resource gpt51 'Microsoft.CognitiveServices/accounts/deployments@2026-03-01' = { } } -resource grok3 'Microsoft.CognitiveServices/accounts/deployments@2026-03-01' = { +resource grok3 'Microsoft.CognitiveServices/accounts/deployments@2025-12-01' = { name: 'grok3' parent: cognitiveService sku: { @@ -71,7 +64,7 @@ resource grok3 'Microsoft.CognitiveServices/accounts/deployments@2026-03-01' = { } } } -resource deepseekr1 'Microsoft.CognitiveServices/accounts/deployments@2026-03-01' = { +resource deepseekr1 'Microsoft.CognitiveServices/accounts/deployments@2025-12-01' = { name: 'deepseekr1' parent: cognitiveService properties: { diff --git a/tests/policy-integration-tests/cognitive-service/main.good.bicep b/tests/policy-integration-tests/cognitive-service/main.good.bicep index 6697cd8..58eef87 100644 --- a/tests/policy-integration-tests/cognitive-service/main.good.bicep +++ b/tests/policy-integration-tests/cognitive-service/main.good.bicep @@ -2,12 +2,6 @@ metadata itemDisplayName = 'Test Template for xxxx' metadata description = 'This template deploys the testing resource for xxxx.' metadata summary = 'Deploys test xxxx resources that should comply with all policy assignments.' -// ========== // -// Parameters // -// ========== // -@description('Optional. Get current time stamp. This is used to generate unique name for Cognitive Service account. DO NOT provide a value.') -param now string = utcNow() - // ============ // // variables // // ============ // @@ -17,13 +11,12 @@ var localConfig = loadJsonContent('config.json') var location = localConfig.location var namePrefix = globalConfig.namePrefix -var cognitiveServiceAccountNameSuffix = substring((uniqueString(now, location)), 0, 5) // define template specific variables var serviceShort = 'cog2' -resource cognitiveService 'Microsoft.CognitiveServices/accounts@2026-03-01' = { - name: '${namePrefix}${serviceShort}${cognitiveServiceAccountNameSuffix}01' +resource cognitiveService 'Microsoft.CognitiveServices/accounts@2025-12-01' = { + name: '${namePrefix}${serviceShort}01' location: location kind: 'AIServices' sku: { @@ -47,7 +40,7 @@ resource cognitiveService 'Microsoft.CognitiveServices/accounts@2026-03-01' = { ] //user owned storage defined, this should comply with the policy COG-004 } } -resource gpt41 'Microsoft.CognitiveServices/accounts/deployments@2026-03-01' = { +resource gpt41 'Microsoft.CognitiveServices/accounts/deployments@2025-12-01' = { name: 'gpt41' parent: cognitiveService sku: { @@ -62,7 +55,7 @@ resource gpt41 'Microsoft.CognitiveServices/accounts/deployments@2026-03-01' = { } } -resource grok4 'Microsoft.CognitiveServices/accounts/deployments@2026-03-01' = { +resource grok4 'Microsoft.CognitiveServices/accounts/deployments@2025-12-01' = { name: 'grok-4' parent: cognitiveService sku: { diff --git a/tests/policy-integration-tests/cosmos-db/main.bad.bicep b/tests/policy-integration-tests/cosmos-db/main.bad.bicep index 8029c22..a441bee 100644 --- a/tests/policy-integration-tests/cosmos-db/main.bad.bicep +++ b/tests/policy-integration-tests/cosmos-db/main.bad.bicep @@ -14,7 +14,7 @@ var namePrefix = globalConfig.namePrefix // define template specific variables var serviceShort = 'cos3' -resource cosmosDb 'Microsoft.DocumentDB/databaseAccounts@2025-11-01-preview' = { +resource cosmosDb 'Microsoft.DocumentDB/databaseAccounts@2023-03-15' = { kind: 'GlobalDocumentDB' name: '${namePrefix}${serviceShort}01' location: location @@ -31,7 +31,7 @@ resource cosmosDb 'Microsoft.DocumentDB/databaseAccounts@2025-11-01-preview' = { isZoneRedundant: false } ] - capabilities: [] + //capabilities: [] databaseAccountOfferType: 'Standard' disableLocalAuth: false // this should violate the policy COSMOS-001 enableMultipleWriteLocations: false From dee51ef26657c99e6f0918bcbac8e3923de7ba08 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Wed, 13 May 2026 10:12:03 +1000 Subject: [PATCH 39/46] Update COSMOS-001 Effect to Modify in Cosmos DB policy assignments and initiative --- policyAssignments/dev/pa-d-cosmos.json | 2 +- policyAssignments/prod/pa-p-cosmos.json | 2 +- policyInitiatives/polset-cosmos-db.json | 12 ++++++------ 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/policyAssignments/dev/pa-d-cosmos.json b/policyAssignments/dev/pa-d-cosmos.json index bd13fcb..6875bd2 100644 --- a/policyAssignments/dev/pa-d-cosmos.json +++ b/policyAssignments/dev/pa-d-cosmos.json @@ -11,7 +11,7 @@ "identity": "None", "parameters": { "COSMOS-001_Effect": { - "value": "Deny" + "value": "Modify" }, "COSMOS-002_Effect": { "value": "Deny" diff --git a/policyAssignments/prod/pa-p-cosmos.json b/policyAssignments/prod/pa-p-cosmos.json index 9b4dccb..f341668 100644 --- a/policyAssignments/prod/pa-p-cosmos.json +++ b/policyAssignments/prod/pa-p-cosmos.json @@ -11,7 +11,7 @@ "identity": "None", "parameters": { "COSMOS-001_Effect": { - "value": "Deny" + "value": "Modify" }, "COSMOS-002_Effect": { "value": "Deny" diff --git a/policyInitiatives/polset-cosmos-db.json b/policyInitiatives/polset-cosmos-db.json index 45317ba..7ff0d02 100644 --- a/policyInitiatives/polset-cosmos-db.json +++ b/policyInitiatives/polset-cosmos-db.json @@ -13,15 +13,14 @@ "COSMOS-001_Effect": { "type": "String", "metadata": { - "displayName": "COSMOS-001 Effect: Restrict Cosmos DB Local Authentication", - "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy." + "displayName": "COSMOS-001 Effect: Disable Cosmos DB Local Authentication", + "description": "Enable or disable the execution of the policy." }, "allowedValues": [ - "Audit", - "Deny", + "Modify", "Disabled" ], - "defaultValue": "Deny" + "defaultValue": "Modify" }, "COSMOS-002_Effect": { "type": "String", @@ -155,7 +154,8 @@ "policyDefinitions": [ { "policyDefinitionReferenceId": "COSMOS-001", - "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-audit-deny-cdb-local-auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049", + "definitionVersion": "1.2.*", "parameters": { "effect": { "value": "[parameters('COSMOS-001_Effect')]" From b3f42ededf92fdd47e28a9aecd0a8e84761b8c8b Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Wed, 13 May 2026 12:27:10 +1000 Subject: [PATCH 40/46] Update identity to SystemAssigned and modify roleDefinitionIds in Cosmos DB policy assignments --- policyAssignments/dev/pa-d-cosmos.json | 6 ++++-- policyAssignments/prod/pa-p-cosmos.json | 6 ++++-- tests/policy-integration-tests/cosmos-db/README.md | 2 +- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/policyAssignments/dev/pa-d-cosmos.json b/policyAssignments/dev/pa-d-cosmos.json index 6875bd2..1b3f013 100644 --- a/policyAssignments/dev/pa-d-cosmos.json +++ b/policyAssignments/dev/pa-d-cosmos.json @@ -8,7 +8,7 @@ "category": "Azure Cosmos DB" }, "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policySetDefinitions/polset-cosmos-db", - "identity": "None", + "identity": "SystemAssigned", "parameters": { "COSMOS-001_Effect": { "value": "Modify" @@ -42,7 +42,9 @@ } }, "nonComplianceMessages": [], - "roleDefinitionIds": [] + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450" + ] }, "definitionSourceManagementGroupId": "/providers/Microsoft.Management/managementGroups/CONTOSO-DEV", "managementGroupId": "CONTOSO-DEV" diff --git a/policyAssignments/prod/pa-p-cosmos.json b/policyAssignments/prod/pa-p-cosmos.json index f341668..c88b59e 100644 --- a/policyAssignments/prod/pa-p-cosmos.json +++ b/policyAssignments/prod/pa-p-cosmos.json @@ -8,7 +8,7 @@ "category": "Azure Cosmos DB" }, "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policySetDefinitions/polset-cosmos-db", - "identity": "None", + "identity": "SystemAssigned", "parameters": { "COSMOS-001_Effect": { "value": "Modify" @@ -42,7 +42,9 @@ } }, "nonComplianceMessages": [], - "roleDefinitionIds": [] + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450" + ] }, "definitionSourceManagementGroupId": "/providers/Microsoft.Management/managementGroups/CONTOSO", "managementGroupId": "CONTOSO" diff --git a/tests/policy-integration-tests/cosmos-db/README.md b/tests/policy-integration-tests/cosmos-db/README.md index 48ab0f9..0de3cfd 100644 --- a/tests/policy-integration-tests/cosmos-db/README.md +++ b/tests/policy-integration-tests/cosmos-db/README.md @@ -17,7 +17,7 @@ The following policies are in scope for testing: | Policy Assignment | Policy Reference ID | Policy Name | Policy Effect | | :---------------- | :---------------- | :------------ | :------------ | -| `pa-d-cosmos` | `COSMOS-001` | Azure Cosmos DB accounts should have local authentication disabled | Deny | +| `pa-d-cosmos` | `COSMOS-001` | Azure Cosmos DB accounts should have local authentication disabled | Modify | | `pa-d-cosmos` | `COSMOS-002` | Azure Cosmos DB accounts should have firewall rules | Deny | | `pa-d-cosmos` | `COSMOS-003` | Azure Cosmos DB should disable public network access | Deny | | `pa-d-cosmos` | `COSMOS-004` | Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest | Audit | From 39f84e50c00f2ca84278a2df6638437b03a3673e Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Wed, 13 May 2026 12:51:34 +1000 Subject: [PATCH 41/46] Update COSMOS-001 Effect to Modify in Cosmos DB policy definitions and tests --- tests/policy-integration-tests/cosmos-db/tests.ps1 | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/tests/policy-integration-tests/cosmos-db/tests.ps1 b/tests/policy-integration-tests/cosmos-db/tests.ps1 index 8b527b0..222ab12 100644 --- a/tests/policy-integration-tests/cosmos-db/tests.ps1 +++ b/tests/policy-integration-tests/cosmos-db/tests.ps1 @@ -22,7 +22,7 @@ $initiateTestScriptPath = (resolve-path -RelativeBasePath $PSScriptRoot -path '. #region defining tests <# The following policy definitions are tested:. - - COSMOS-001: Azure Cosmos DB accounts should have local authentication disabled (Deny) + - COSMOS-001: Azure Cosmos DB accounts should have local authentication disabled (Modify) - COSMOS-002: Azure Cosmos DB accounts should have firewall rules (Deny) - COSMOS-003: Azure Cosmos DB should disable public network access (Deny) - COSMOS-004: Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest (Audit) @@ -42,10 +42,6 @@ $cosmosPolicyAssignmentId = $script:LocalConfig_policyAssignmentIds | Where-Obje $privateEndpointResourceId = $script:bicepDeploymentOutputs.privateEndpointResourceId.value $privateEndpointPrivateDNSZoneGroupId = '{0}{1}' -f $privateEndpointResourceId, $script:GlobalConfig_privateEndpointPrivateDNSZoneGroupIdSuffix $violatingPolicies = @( - @{ - policyAssignmentId = $cosmosPolicyAssignmentId - policyDefinitionReferenceId = 'COSMOS-001' - } @{ policyAssignmentId = $cosmosPolicyAssignmentId policyDefinitionReferenceId = 'COSMOS-002' @@ -70,7 +66,10 @@ $violatingPolicies = @( #define tests $tests = @() -#region Audit Policies +#Modify / Append Policies +$tests += New-ARTPropertyCountTestConfig 'COSMOS-001: Local authentication should be disabled' $script:token $resourceId 'properties.disableLocalAuth' 'equals' true + +# Audit Policies $tests += New-ARTPolicyStateTestConfig 'COSMOS-004: Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest' $script:token $resourceId $cosmosPolicyAssignmentId 'NonCompliant' 'COSMOS-004' #DeployIfNotExists Policies From 3aeb625a6a742f45f02ca7d6d1adcabd6815e8b5 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Wed, 13 May 2026 13:36:43 +1000 Subject: [PATCH 42/46] Update identity to SystemAssigned and add roleDefinitionIds in Cognitive Services and Cosmos DB policy assignments; modify policy initiative effects and test templates --- policyAssignments/dev/pa-d-cog-service.json | 6 ++++-- policyAssignments/prod/pa-p-cog-service.json | 6 ++++-- policyInitiatives/polset-cognitive-service.json | 12 ++++++------ .../cognitive-service/main.bad.bicep | 7 +++---- .../cognitive-service/main.good.bicep | 7 +++---- .../cognitive-service/main.test.bicep | 7 +++---- .../cognitive-service/tests.ps1 | 3 +++ .../cosmos-db/main.bad.bicep | 7 +++---- .../cosmos-db/main.good.bicep | 7 +++---- .../cosmos-db/main.test.bicep | 1 - tests/policy-integration-tests/cosmos-db/tests.ps1 | 2 +- 11 files changed, 33 insertions(+), 32 deletions(-) diff --git a/policyAssignments/dev/pa-d-cog-service.json b/policyAssignments/dev/pa-d-cog-service.json index 85a9891..6a7ef7b 100644 --- a/policyAssignments/dev/pa-d-cog-service.json +++ b/policyAssignments/dev/pa-d-cog-service.json @@ -8,7 +8,7 @@ "category": "Azure Cognitive Services" }, "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policySetDefinitions/polset-cognitive-service", - "identity": "None", + "identity": "SystemAssigned", "parameters": { "COG-001_Effect": { "value": "Deny" @@ -51,7 +51,9 @@ } }, "nonComplianceMessages": [], - "roleDefinitionIds": [] + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ] }, "definitionSourceManagementGroupId": "/providers/Microsoft.Management/managementGroups/CONTOSO-DEV", "managementGroupId": "CONTOSO-DEV" diff --git a/policyAssignments/prod/pa-p-cog-service.json b/policyAssignments/prod/pa-p-cog-service.json index ea3369d..112d0e7 100644 --- a/policyAssignments/prod/pa-p-cog-service.json +++ b/policyAssignments/prod/pa-p-cog-service.json @@ -8,7 +8,7 @@ "category": "Azure Cognitive Services" }, "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policySetDefinitions/polset-cognitive-service", - "identity": "None", + "identity": "SystemAssigned", "parameters": { "COG-001_Effect": { "value": "Deny" @@ -51,7 +51,9 @@ } }, "nonComplianceMessages": [], - "roleDefinitionIds": [] + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ] }, "definitionSourceManagementGroupId": "/providers/Microsoft.Management/managementGroups/CONTOSO", "managementGroupId": "CONTOSO" diff --git a/policyInitiatives/polset-cognitive-service.json b/policyInitiatives/polset-cognitive-service.json index 45f6164..a4473e2 100644 --- a/policyInitiatives/polset-cognitive-service.json +++ b/policyInitiatives/polset-cognitive-service.json @@ -13,15 +13,14 @@ "COG-001_Effect": { "type": "String", "metadata": { - "displayName": "COG-001 Effect: Restrict Cognitive Service Local Authentication", - "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy." + "displayName": "COG-001 Effect: Configure Cognitive Services accounts to disable local authentication methods", + "description": "Enable or disable the execution of the policy" }, "allowedValues": [ - "Audit", - "Deny", + "Modify", "Disabled" ], - "defaultValue": "Deny" + "defaultValue": "Modify" }, "COG-002_Effect": { "type": "String", @@ -159,7 +158,8 @@ "policyDefinitions": [ { "policyDefinitionReferenceId": "COG-001", - "policyDefinitionId": "{policyLocationResourceId}/providers/Microsoft.Authorization/policyDefinitions/pol-restrict-cog-local-auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555", + "definitionVersion": "1.0.*", "parameters": { "effect": { "value": "[parameters('COG-001_Effect')]" diff --git a/tests/policy-integration-tests/cognitive-service/main.bad.bicep b/tests/policy-integration-tests/cognitive-service/main.bad.bicep index 343e3e9..6052250 100644 --- a/tests/policy-integration-tests/cognitive-service/main.bad.bicep +++ b/tests/policy-integration-tests/cognitive-service/main.bad.bicep @@ -1,6 +1,6 @@ -metadata itemDisplayName = 'Test Template for xxx' -metadata description = 'This template deploys the testing resource for xxx.' -metadata summary = 'Deploys test xxx resources that should violate some policy assignments.' +metadata itemDisplayName = 'Test Template for Cognitive Services' +metadata description = 'This template deploys the testing resource for Cognitive Services.' +metadata summary = 'Deploys test Cognitive Services resources that should violate some policy assignments.' // ============ // // variables // @@ -28,7 +28,6 @@ resource cognitiveService 'Microsoft.CognitiveServices/accounts@2025-12-01' = { defaultAction: 'Allow' } publicNetworkAccess: 'Enabled' //this should violate the policy COG-002 - disableLocalAuth: false //this should violate the policy COG-001 allowProjectManagement: true customSubDomainName: '${namePrefix}${serviceShort}01' userOwnedStorage: [] //no user owned storage defined, this should violate the policy COG-004 diff --git a/tests/policy-integration-tests/cognitive-service/main.good.bicep b/tests/policy-integration-tests/cognitive-service/main.good.bicep index 58eef87..06eb9bb 100644 --- a/tests/policy-integration-tests/cognitive-service/main.good.bicep +++ b/tests/policy-integration-tests/cognitive-service/main.good.bicep @@ -1,6 +1,6 @@ -metadata itemDisplayName = 'Test Template for xxxx' -metadata description = 'This template deploys the testing resource for xxxx.' -metadata summary = 'Deploys test xxxx resources that should comply with all policy assignments.' +metadata itemDisplayName = 'Test Template for Cognitive Services' +metadata description = 'This template deploys the testing resource for Cognitive Services.' +metadata summary = 'Deploys test Cognitive Services resources that should comply with all policy assignments.' // ============ // // variables // @@ -30,7 +30,6 @@ resource cognitiveService 'Microsoft.CognitiveServices/accounts@2025-12-01' = { defaultAction: 'Deny' } publicNetworkAccess: 'Disabled' //this should comply with the policy COG-002 - disableLocalAuth: true //this should comply with the policy COG-001 allowProjectManagement: true customSubDomainName: '${namePrefix}${serviceShort}01' userOwnedStorage: [ diff --git a/tests/policy-integration-tests/cognitive-service/main.test.bicep b/tests/policy-integration-tests/cognitive-service/main.test.bicep index 496b053..2ac469e 100644 --- a/tests/policy-integration-tests/cognitive-service/main.test.bicep +++ b/tests/policy-integration-tests/cognitive-service/main.test.bicep @@ -1,6 +1,6 @@ -metadata itemDisplayName = 'Test Template for xxx' -metadata description = 'This template deploys the testing resource for xxx.' -metadata summary = 'Deploys test xxx resources.' +metadata itemDisplayName = 'Test Template for Cognitive Services' +metadata description = 'This template deploys the testing resource for Cognitive Services.' +metadata summary = 'Deploys test Cognitive Services resources.' // ========== // // Parameters // @@ -51,7 +51,6 @@ resource cognitiveService 'Microsoft.CognitiveServices/accounts@2026-03-01' = { defaultAction: 'Deny' } publicNetworkAccess: 'Disabled' - disableLocalAuth: true allowProjectManagement: true customSubDomainName: '${namePrefix}${serviceShort}${cognitiveServiceAccountNameSuffix}01' userOwnedStorage: [ diff --git a/tests/policy-integration-tests/cognitive-service/tests.ps1 b/tests/policy-integration-tests/cognitive-service/tests.ps1 index 8d15163..e4d3014 100644 --- a/tests/policy-integration-tests/cognitive-service/tests.ps1 +++ b/tests/policy-integration-tests/cognitive-service/tests.ps1 @@ -64,6 +64,9 @@ $violatingPolicies = @( #define tests $tests = @() +#Modify / Append Policies +$tests += New-ARTPropertyValueTestConfig 'COG-001: Local authentication should be disabled' $script:token $resourceId 'boolean' 'properties.disableLocalAuth' 'equals' $true + #DeployIfNotExists Policies $tests += New-ARTResourceExistenceTestConfig 'DS-013: Deploy Diagnostic Settings for Cognitive Service to Log Analytics workspace.' $script:token $diagnosticSettingsId 'exists' $script:GlobalConfig_diagnosticSettingsAPIVersion $tests += New-ARTPolicyStateTestConfig 'DS-013: Diagnostic Settings Policy Must Be Compliant' $script:token $resourceId $diagSettingsPolicyAssignmentId 'Compliant' 'DS-013' diff --git a/tests/policy-integration-tests/cosmos-db/main.bad.bicep b/tests/policy-integration-tests/cosmos-db/main.bad.bicep index a441bee..dad80d9 100644 --- a/tests/policy-integration-tests/cosmos-db/main.bad.bicep +++ b/tests/policy-integration-tests/cosmos-db/main.bad.bicep @@ -1,6 +1,6 @@ -metadata itemDisplayName = 'Test Template for xxx' -metadata description = 'This template deploys the testing resource for xxx.' -metadata summary = 'Deploys test xxx resources that should violate some policy assignments.' +metadata itemDisplayName = 'Test Template for Cosmos DB' +metadata description = 'This template deploys the testing resource for Cosmos DB.' +metadata summary = 'Deploys test Cosmos DB resources that should violate some policy assignments.' // ============ // // variables // @@ -33,7 +33,6 @@ resource cosmosDb 'Microsoft.DocumentDB/databaseAccounts@2023-03-15' = { ] //capabilities: [] databaseAccountOfferType: 'Standard' - disableLocalAuth: false // this should violate the policy COSMOS-001 enableMultipleWriteLocations: false networkAclBypass: 'AzureServices' enablePartitionMerge: false diff --git a/tests/policy-integration-tests/cosmos-db/main.good.bicep b/tests/policy-integration-tests/cosmos-db/main.good.bicep index abf7825..a42688c 100644 --- a/tests/policy-integration-tests/cosmos-db/main.good.bicep +++ b/tests/policy-integration-tests/cosmos-db/main.good.bicep @@ -1,6 +1,6 @@ -metadata itemDisplayName = 'Test Template for xxxx' -metadata description = 'This template deploys the testing resource for xxxx.' -metadata summary = 'Deploys test xxxx resources that should comply with all policy assignments.' +metadata itemDisplayName = 'Test Template for Cosmos DB' +metadata description = 'This template deploys the testing resource for Cosmos DB.' +metadata summary = 'Deploys test Cosmos DB resources that should comply with all policy assignments.' // ============ // // variables // @@ -32,7 +32,6 @@ resource cosmosDb 'Microsoft.DocumentDB/databaseAccounts@2025-11-01-preview' = { } ] databaseAccountOfferType: 'Standard' - disableLocalAuth: true // this should comply with the policy COSMOS-001 enableMultipleWriteLocations: false networkAclBypass: 'AzureServices' enablePartitionMerge: false diff --git a/tests/policy-integration-tests/cosmos-db/main.test.bicep b/tests/policy-integration-tests/cosmos-db/main.test.bicep index 8b6e87a..07e9270 100644 --- a/tests/policy-integration-tests/cosmos-db/main.test.bicep +++ b/tests/policy-integration-tests/cosmos-db/main.test.bicep @@ -48,7 +48,6 @@ resource cosmosDb 'Microsoft.DocumentDB/databaseAccounts@2025-11-01-preview' = { } ] databaseAccountOfferType: 'Standard' - disableLocalAuth: true enableMultipleWriteLocations: false networkAclBypass: 'AzureServices' enablePartitionMerge: false diff --git a/tests/policy-integration-tests/cosmos-db/tests.ps1 b/tests/policy-integration-tests/cosmos-db/tests.ps1 index 222ab12..b4c493f 100644 --- a/tests/policy-integration-tests/cosmos-db/tests.ps1 +++ b/tests/policy-integration-tests/cosmos-db/tests.ps1 @@ -67,7 +67,7 @@ $violatingPolicies = @( $tests = @() #Modify / Append Policies -$tests += New-ARTPropertyCountTestConfig 'COSMOS-001: Local authentication should be disabled' $script:token $resourceId 'properties.disableLocalAuth' 'equals' true +$tests += New-ARTPropertyValueTestConfig 'COSMOS-001: Local authentication should be disabled' $script:token $resourceId 'boolean' 'properties.disableLocalAuth' 'equals' $true # Audit Policies $tests += New-ARTPolicyStateTestConfig 'COSMOS-004: Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest' $script:token $resourceId $cosmosPolicyAssignmentId 'NonCompliant' 'COSMOS-004' From 46c0d53e4a33e39f29e415f9fb3dbe7efa7425d5 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Wed, 13 May 2026 14:04:01 +1000 Subject: [PATCH 43/46] Update COG-001 Effect to Modify in both dev and prod Cognitive Services policy assignments --- policyAssignments/dev/pa-d-cog-service.json | 2 +- policyAssignments/prod/pa-p-cog-service.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/policyAssignments/dev/pa-d-cog-service.json b/policyAssignments/dev/pa-d-cog-service.json index 6a7ef7b..dafba9e 100644 --- a/policyAssignments/dev/pa-d-cog-service.json +++ b/policyAssignments/dev/pa-d-cog-service.json @@ -11,7 +11,7 @@ "identity": "SystemAssigned", "parameters": { "COG-001_Effect": { - "value": "Deny" + "value": "Modify" }, "COG-002_Effect": { "value": "Deny" diff --git a/policyAssignments/prod/pa-p-cog-service.json b/policyAssignments/prod/pa-p-cog-service.json index 112d0e7..524e01b 100644 --- a/policyAssignments/prod/pa-p-cog-service.json +++ b/policyAssignments/prod/pa-p-cog-service.json @@ -11,7 +11,7 @@ "identity": "SystemAssigned", "parameters": { "COG-001_Effect": { - "value": "Deny" + "value": "Modify" }, "COG-002_Effect": { "value": "Deny" From cd3a3cec80f40423f8717ecd27a0204433ecfa06 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Wed, 13 May 2026 16:06:58 +1000 Subject: [PATCH 44/46] Update allowed names and resource references in Cognitive Services policy assignments and tests --- policyAssignments/dev/pa-d-cog-service.json | 3 ++- policyAssignments/prod/pa-p-cog-service.json | 3 ++- .../cognitive-service/main.good.bicep | 6 +++--- tests/policy-integration-tests/cognitive-service/tests.ps1 | 4 ---- 4 files changed, 7 insertions(+), 9 deletions(-) diff --git a/policyAssignments/dev/pa-d-cog-service.json b/policyAssignments/dev/pa-d-cog-service.json index dafba9e..a3cf709 100644 --- a/policyAssignments/dev/pa-d-cog-service.json +++ b/policyAssignments/dev/pa-d-cog-service.json @@ -46,7 +46,8 @@ }, "COG-007_listOfAllowedNames": { "value": [ - "grok-4" + "grok-4", + "grok-3" ] } }, diff --git a/policyAssignments/prod/pa-p-cog-service.json b/policyAssignments/prod/pa-p-cog-service.json index 524e01b..7f856de 100644 --- a/policyAssignments/prod/pa-p-cog-service.json +++ b/policyAssignments/prod/pa-p-cog-service.json @@ -46,7 +46,8 @@ }, "COG-007_listOfAllowedNames": { "value": [ - "grok-4" + "grok-4", + "grok-3" ] } }, diff --git a/tests/policy-integration-tests/cognitive-service/main.good.bicep b/tests/policy-integration-tests/cognitive-service/main.good.bicep index 06eb9bb..56de474 100644 --- a/tests/policy-integration-tests/cognitive-service/main.good.bicep +++ b/tests/policy-integration-tests/cognitive-service/main.good.bicep @@ -54,8 +54,8 @@ resource gpt41 'Microsoft.CognitiveServices/accounts/deployments@2025-12-01' = { } } -resource grok4 'Microsoft.CognitiveServices/accounts/deployments@2025-12-01' = { - name: 'grok-4' +resource grok 'Microsoft.CognitiveServices/accounts/deployments@2025-12-01' = { + name: 'grok-3' parent: cognitiveService sku: { name: 'GlobalStandard' @@ -63,7 +63,7 @@ resource grok4 'Microsoft.CognitiveServices/accounts/deployments@2025-12-01' = { } properties: { model: { - name: 'grok-4' + name: 'grok-3' format: 'xAI' } } diff --git a/tests/policy-integration-tests/cognitive-service/tests.ps1 b/tests/policy-integration-tests/cognitive-service/tests.ps1 index e4d3014..38323f7 100644 --- a/tests/policy-integration-tests/cognitive-service/tests.ps1 +++ b/tests/policy-integration-tests/cognitive-service/tests.ps1 @@ -32,10 +32,6 @@ $cogServicePolicyAssignmentId = $script:LocalConfig_policyAssignmentIds | Where- $privateEndpointResourceId = $script:bicepDeploymentOutputs.privateEndpointResourceId.value $privateEndpointPrivateDNSZoneGroupId = '{0}{1}' -f $privateEndpointResourceId, $script:GlobalConfig_privateEndpointPrivateDNSZoneGroupIdSuffix $violatingPolicies = @( - @{ - policyAssignmentId = $cogServicePolicyAssignmentId - policyDefinitionReferenceId = 'COG-001' - } @{ policyAssignmentId = $cogServicePolicyAssignmentId policyDefinitionReferenceId = 'COG-002' From 189799c365cc1e483997a91d860a48c08ecb3071 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Wed, 13 May 2026 17:17:19 +1000 Subject: [PATCH 45/46] Update COG-004 Effect to Audit and modify allowed names in Cognitive Services policy assignments and tests --- policyAssignments/dev/pa-d-cog-service.json | 4 +- policyAssignments/prod/pa-p-cog-service.json | 4 +- .../cognitive-service/README.md | 2 +- .../cognitive-service/main.bad.bicep | 2 +- .../cognitive-service/main.good.bicep | 9 +-- .../cognitive-service/main.test.bicep | 56 +------------------ .../cognitive-service/tests.ps1 | 7 +-- 7 files changed, 15 insertions(+), 69 deletions(-) diff --git a/policyAssignments/dev/pa-d-cog-service.json b/policyAssignments/dev/pa-d-cog-service.json index a3cf709..5a44d1a 100644 --- a/policyAssignments/dev/pa-d-cog-service.json +++ b/policyAssignments/dev/pa-d-cog-service.json @@ -20,7 +20,7 @@ "value": "Deny" }, "COG-004_Effect": { - "value": "Deny" + "value": "Audit" }, "COG-005_Effect": { "value": "Deny" @@ -47,7 +47,7 @@ "COG-007_listOfAllowedNames": { "value": [ "grok-4", - "grok-3" + "grok-4-1-fast-reasoning" ] } }, diff --git a/policyAssignments/prod/pa-p-cog-service.json b/policyAssignments/prod/pa-p-cog-service.json index 7f856de..9692e7b 100644 --- a/policyAssignments/prod/pa-p-cog-service.json +++ b/policyAssignments/prod/pa-p-cog-service.json @@ -20,7 +20,7 @@ "value": "Deny" }, "COG-004_Effect": { - "value": "Deny" + "value": "Audit" }, "COG-005_Effect": { "value": "Deny" @@ -47,7 +47,7 @@ "COG-007_listOfAllowedNames": { "value": [ "grok-4", - "grok-3" + "grok-4-1-fast-reasoning" ] } }, diff --git a/tests/policy-integration-tests/cognitive-service/README.md b/tests/policy-integration-tests/cognitive-service/README.md index afb1628..ffc98f0 100644 --- a/tests/policy-integration-tests/cognitive-service/README.md +++ b/tests/policy-integration-tests/cognitive-service/README.md @@ -19,7 +19,7 @@ The following policies are in scope for testing: | `pa-d-cog-service` | `COG-001` | Cognitive Service accounts should have local authentication disabled | Deny | | `pa-d-cog-service` | `COG-002` | Cognitive Services accounts should restrict public network access | Deny | | `pa-d-cog-service` | `COG-003` | Cognitive Services accounts should use a managed identity | Deny | -| `pa-d-cog-service` | `COG-004` | Cognitive Services accounts should use customer owned storage | Deny | +| `pa-d-cog-service` | `COG-004` | Cognitive Services accounts should use customer owned storage | Audit | | `pa-d-cog-service` | `COG-005` | Cognitive Services Deployments allowed model formats | Deny | | `pa-d-cog-service` | `COG-006` | Cognitive Services Deployments should only use approved Models from OpenAI | Deny | | `pa-d-cog-service` | `COG-007` | Cognitive Services Deployments should only use approved Models from xAI | Deny | diff --git a/tests/policy-integration-tests/cognitive-service/main.bad.bicep b/tests/policy-integration-tests/cognitive-service/main.bad.bicep index 6052250..2681d5f 100644 --- a/tests/policy-integration-tests/cognitive-service/main.bad.bicep +++ b/tests/policy-integration-tests/cognitive-service/main.bad.bicep @@ -30,7 +30,6 @@ resource cognitiveService 'Microsoft.CognitiveServices/accounts@2025-12-01' = { publicNetworkAccess: 'Enabled' //this should violate the policy COG-002 allowProjectManagement: true customSubDomainName: '${namePrefix}${serviceShort}01' - userOwnedStorage: [] //no user owned storage defined, this should violate the policy COG-004 } } @@ -60,6 +59,7 @@ resource grok3 'Microsoft.CognitiveServices/accounts/deployments@2025-12-01' = { model: { name: 'grok-3' //this should violate the policy COG-007 since grok-3 is not in the allowed list of models defined in the policy format: 'xAI' + version: '1' } } } diff --git a/tests/policy-integration-tests/cognitive-service/main.good.bicep b/tests/policy-integration-tests/cognitive-service/main.good.bicep index 56de474..d01db86 100644 --- a/tests/policy-integration-tests/cognitive-service/main.good.bicep +++ b/tests/policy-integration-tests/cognitive-service/main.good.bicep @@ -44,7 +44,7 @@ resource gpt41 'Microsoft.CognitiveServices/accounts/deployments@2025-12-01' = { parent: cognitiveService sku: { name: 'GlobalStandard' - capacity: 1 + capacity: 150 } properties: { model: { @@ -55,16 +55,17 @@ resource gpt41 'Microsoft.CognitiveServices/accounts/deployments@2025-12-01' = { } resource grok 'Microsoft.CognitiveServices/accounts/deployments@2025-12-01' = { - name: 'grok-3' + name: 'grok-4-1-fast-reasoning' parent: cognitiveService sku: { name: 'GlobalStandard' - capacity: 1 + capacity: 4 } properties: { model: { - name: 'grok-3' + name: 'grok-4-1-fast-reasoning' format: 'xAI' + version: '1' } } } diff --git a/tests/policy-integration-tests/cognitive-service/main.test.bicep b/tests/policy-integration-tests/cognitive-service/main.test.bicep index 2ac469e..3bb0306 100644 --- a/tests/policy-integration-tests/cognitive-service/main.test.bicep +++ b/tests/policy-integration-tests/cognitive-service/main.test.bicep @@ -53,11 +53,7 @@ resource cognitiveService 'Microsoft.CognitiveServices/accounts@2026-03-01' = { publicNetworkAccess: 'Disabled' allowProjectManagement: true customSubDomainName: '${namePrefix}${serviceShort}${cognitiveServiceAccountNameSuffix}01' - userOwnedStorage: [ - { - resourceId: storage.id - } - ] + //userOwnedStorage: [] //This should violate the audit policy COG-004 since no user owned storage defined } } @@ -83,56 +79,6 @@ resource pe 'Microsoft.Network/privateEndpoints@2025-05-01' = { } } -resource storage 'Microsoft.Storage/storageAccounts@2025-08-01' = { - name: 'sa${namePrefix}${serviceShort}' - location: location - tags: tags - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' - properties: { - networkAcls: { - defaultAction: 'Deny' - } - publicNetworkAccess: 'Disabled' - allowCrossTenantReplication: false - allowedCopyScope: 'AAD' - allowSharedKeyAccess: false - minimumTlsVersion: 'TLS1_2' - supportsHttpsTrafficOnly: true - } -} - -resource storagePe 'Microsoft.Network/privateEndpoints@2025-05-01' = { - name: 'pe-sa${namePrefix}${serviceShort}-blob' - location: location - tags: tags - properties: { - subnet: { - id: vnet::peSubnet.id - } - privateLinkServiceConnections: [ - { - name: 'pe-sa${namePrefix}${serviceShort}-blob' - properties: { - privateLinkServiceId: storage.id - groupIds: [ - 'blob' - ] - } - } - ] - } -} -resource storageRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(cognitiveService.id, storage.id, 'Storage Blob Data Contributor') - properties: { - roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe' //Storage Blob Data Contributor - principalId: cognitiveService.identity.principalId - principalType: 'ServicePrincipal' - } -} // ============ // // outputs // // ============ // diff --git a/tests/policy-integration-tests/cognitive-service/tests.ps1 b/tests/policy-integration-tests/cognitive-service/tests.ps1 index 38323f7..3c98634 100644 --- a/tests/policy-integration-tests/cognitive-service/tests.ps1 +++ b/tests/policy-integration-tests/cognitive-service/tests.ps1 @@ -40,10 +40,6 @@ $violatingPolicies = @( policyAssignmentId = $cogServicePolicyAssignmentId policyDefinitionReferenceId = 'COG-003' } - @{ - policyAssignmentId = $cogServicePolicyAssignmentId - policyDefinitionReferenceId = 'COG-004' - } @{ policyAssignmentId = $cogServicePolicyAssignmentId policyDefinitionReferenceId = 'COG-005' @@ -63,6 +59,9 @@ $tests = @() #Modify / Append Policies $tests += New-ARTPropertyValueTestConfig 'COG-001: Local authentication should be disabled' $script:token $resourceId 'boolean' 'properties.disableLocalAuth' 'equals' $true +# Audit Policies +$tests += New-ARTPolicyStateTestConfig 'COG-004: Azure Cognitive Services accounts should use customer-owned storage' $script:token $resourceId $cogServicePolicyAssignmentId 'NonCompliant' 'COG-004' + #DeployIfNotExists Policies $tests += New-ARTResourceExistenceTestConfig 'DS-013: Deploy Diagnostic Settings for Cognitive Service to Log Analytics workspace.' $script:token $diagnosticSettingsId 'exists' $script:GlobalConfig_diagnosticSettingsAPIVersion $tests += New-ARTPolicyStateTestConfig 'DS-013: Diagnostic Settings Policy Must Be Compliant' $script:token $resourceId $diagSettingsPolicyAssignmentId 'Compliant' 'DS-013' From cfda2b904f282b217b56bef9d01455a58ce35563 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Wed, 13 May 2026 19:20:15 +1000 Subject: [PATCH 46/46] Update workflow triggers and format in policy-initiatives.yml; modify defaultValue in polset-diag-settings.json --- .github/workflows/policy-initiatives.yml | 9 +++++---- .gitignore | 4 +++- policyInitiatives/polset-diag-settings.json | 2 +- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/.github/workflows/policy-initiatives.yml b/.github/workflows/policy-initiatives.yml index c8c8d04..e5aa5a6 100644 --- a/.github/workflows/policy-initiatives.yml +++ b/.github/workflows/policy-initiatives.yml @@ -9,9 +9,9 @@ on: type: boolean default: false workflow_run: - workflows: [ "policy-definitions" ] # name of the triggering workflow - types: [ completed ] - branches: [ main ] + workflows: ["policy-definitions"] # name of the triggering workflow + types: [completed] + branches: [main] permissions: contents: read @@ -29,7 +29,8 @@ jobs: job_call_initiation: name: Initiation runs-on: ubuntu-latest - if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name + if: + ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }} steps: - name: "Checkout" diff --git a/.gitignore b/.gitignore index e2ffc5d..a909caa 100644 --- a/.gitignore +++ b/.gitignore @@ -418,4 +418,6 @@ FodyWeavers.xsd *.msp #Mac -.DS_Store \ No newline at end of file +.DS_Store +.github/workflows/package.json +.github/workflows/package-lock.json diff --git a/policyInitiatives/polset-diag-settings.json b/policyInitiatives/polset-diag-settings.json index e7036b7..fa8d69a 100644 --- a/policyInitiatives/polset-diag-settings.json +++ b/policyInitiatives/polset-diag-settings.json @@ -16,7 +16,7 @@ "displayName": "Profile name", "description": "The diagnostic settings profile name." }, - "defaultValue": "setByPolicyLAW" + "defaultValue": "setByPolicy" }, "evaluationDelay": { "type": "string",