diff --git a/policyAssignments/dev/pa-d-cog-service.json b/policyAssignments/dev/pa-d-cog-service.json index 5a44d1a..8fe53f7 100644 --- a/policyAssignments/dev/pa-d-cog-service.json +++ b/policyAssignments/dev/pa-d-cog-service.json @@ -51,7 +51,16 @@ ] } }, - "nonComplianceMessages": [], + "nonComplianceMessages": [ + { + "policyDefinitionReferenceId": "COG-006", + "message": "PolicyID: COG-006 Violation in polset-cognitive-service Initiative - 'Only approved OpenAI models are allowed to be deployed in Cognitive Services'" + }, + { + "policyDefinitionReferenceId": "COG-007", + "message": "PolicyID: COG-007 Violation in polset-cognitive-service Initiative - 'Only approved xAI models are allowed to be deployed in Cognitive Services'" + } + ], "roleDefinitionIds": [ "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" ] diff --git a/policyAssignments/dev/pa-d-pedns.json b/policyAssignments/dev/pa-d-pedns.json index bf5cc93..05f0d28 100644 --- a/policyAssignments/dev/pa-d-pedns.json +++ b/policyAssignments/dev/pa-d-pedns.json @@ -71,7 +71,76 @@ "roleDefinitionIds": [ "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" ], - "nonComplianceMessages": [] + "nonComplianceMessages": [ + { + "policyDefinitionReferenceId": "PEDNS-001", + "message": "PolicyID: PEDNS-001 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Backup Private Endpoint must be configured'" + }, + { + "policyDefinitionReferenceId": "PEDNS-002", + "message": "PolicyID: PEDNS-002 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Storage blob Private Endpoint must be configured'" + }, + { + "policyDefinitionReferenceId": "PEDNS-003", + "message": "PolicyID: PEDNS-003 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Storage file Private Endpoint must be configured'" + }, + { + "policyDefinitionReferenceId": "PEDNS-004", + "message": "PolicyID: PEDNS-004 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Storage dfs Private Endpoint must be configured'" + }, + { + "policyDefinitionReferenceId": "PEDNS-005", + "message": "PolicyID: PEDNS-005 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Key Vault Private Endpoint must be configured'" + }, + { + "policyDefinitionReferenceId": "PEDNS-006", + "message": "PolicyID: PEDNS-006 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure App Service Private Endpoint must be configured'" + }, + { + "policyDefinitionReferenceId": "PEDNS-007", + "message": "PolicyID: PEDNS-007 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Event Hub Namespace Private Endpoint must be configured'" + }, + { + "policyDefinitionReferenceId": "PEDNS-008", + "message": "PolicyID: PEDNS-008 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Databricks Browser Auth Private Endpoint must be configured'" + }, + { + "policyDefinitionReferenceId": "PEDNS-009", + "message": "PolicyID: PEDNS-009 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Databricks UI API Private Endpoint must be configured'" + }, + { + "policyDefinitionReferenceId": "PEDNS-010", + "message": "PolicyID: PEDNS-010 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Data Explorer Private Endpoint must be configured'" + }, + { + "policyDefinitionReferenceId": "PEDNS-011", + "message": "PolicyID: PEDNS-011 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Monitor Private Link Scope Private Endpoint must be configured'" + }, + { + "policyDefinitionReferenceId": "PEDNS-012", + "message": "PolicyID: PEDNS-012 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Container Registry Private Endpoint must be configured'" + }, + { + "policyDefinitionReferenceId": "PEDNS-013", + "message": "PolicyID: PEDNS-013 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Health Data Services Private Endpoint must be configured'" + }, + { + "policyDefinitionReferenceId": "PEDNS-014", + "message": "PolicyID: PEDNS-014 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Container App Managed Environment Private Endpoint must be configured'" + }, + { + "policyDefinitionReferenceId": "PEDNS-015", + "message": "PolicyID: PEDNS-015 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for App Services slots Private Endpoint must be configured'" + }, + { + "policyDefinitionReferenceId": "PEDNS-016", + "message": "PolicyID: PEDNS-016 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Cognitive Service Accounts Private Endpoint must be configured'" + }, + { + "policyDefinitionReferenceId": "PEDNS-017", + "message": "PolicyID: PEDNS-017 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Cosmos DB SQL Private Endpoint must be configured'" + } + ] }, "definitionSourceManagementGroupId": "/providers/Microsoft.Management/managementGroups/CONTOSO-DEV", "managementGroupId": "CONTOSO-DEV" diff --git a/policyAssignments/prod/pa-p-cog-service.json b/policyAssignments/prod/pa-p-cog-service.json index 9692e7b..30967e9 100644 --- a/policyAssignments/prod/pa-p-cog-service.json +++ b/policyAssignments/prod/pa-p-cog-service.json @@ -51,7 +51,16 @@ ] } }, - "nonComplianceMessages": [], + "nonComplianceMessages": [ + { + "policyDefinitionReferenceId": "COG-006", + "message": "PolicyID: COG-006 Violation in polset-cognitive-service Initiative - 'Only approved OpenAI models are allowed to be deployed in Cognitive Services'" + }, + { + "policyDefinitionReferenceId": "COG-007", + "message": "PolicyID: COG-007 Violation in polset-cognitive-service Initiative - 'Only approved xAI models are allowed to be deployed in Cognitive Services'" + } + ], "roleDefinitionIds": [ "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" ] diff --git a/policyAssignments/prod/pa-p-pedns.json b/policyAssignments/prod/pa-p-pedns.json index 728870a..94ac9bc 100644 --- a/policyAssignments/prod/pa-p-pedns.json +++ b/policyAssignments/prod/pa-p-pedns.json @@ -71,7 +71,76 @@ "roleDefinitionIds": [ "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" ], - "nonComplianceMessages": [] + "nonComplianceMessages": [ + { + "policyDefinitionReferenceId": "PEDNS-001", + "message": "PolicyID: PEDNS-001 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Backup Private Endpoint must be configured'" + }, + { + "policyDefinitionReferenceId": "PEDNS-002", + "message": "PolicyID: PEDNS-002 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Storage blob Private Endpoint must be configured'" + }, + { + "policyDefinitionReferenceId": "PEDNS-003", + "message": "PolicyID: PEDNS-003 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Storage file Private Endpoint must be configured'" + }, + { + "policyDefinitionReferenceId": "PEDNS-004", + "message": "PolicyID: PEDNS-004 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Storage dfs Private Endpoint must be configured'" + }, + { + "policyDefinitionReferenceId": "PEDNS-005", + "message": "PolicyID: PEDNS-005 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Key Vault Private Endpoint must be configured'" + }, + { + "policyDefinitionReferenceId": "PEDNS-006", + "message": "PolicyID: PEDNS-006 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure App Service Private Endpoint must be configured'" + }, + { + "policyDefinitionReferenceId": "PEDNS-007", + "message": "PolicyID: PEDNS-007 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Event Hub Namespace Private Endpoint must be configured'" + }, + { + "policyDefinitionReferenceId": "PEDNS-008", + "message": "PolicyID: PEDNS-008 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Databricks Browser Auth Private Endpoint must be configured'" + }, + { + "policyDefinitionReferenceId": "PEDNS-009", + "message": "PolicyID: PEDNS-009 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Databricks UI API Private Endpoint must be configured'" + }, + { + "policyDefinitionReferenceId": "PEDNS-010", + "message": "PolicyID: PEDNS-010 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Data Explorer Private Endpoint must be configured'" + }, + { + "policyDefinitionReferenceId": "PEDNS-011", + "message": "PolicyID: PEDNS-011 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Monitor Private Link Scope Private Endpoint must be configured'" + }, + { + "policyDefinitionReferenceId": "PEDNS-012", + "message": "PolicyID: PEDNS-012 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Azure Container Registry Private Endpoint must be configured'" + }, + { + "policyDefinitionReferenceId": "PEDNS-013", + "message": "PolicyID: PEDNS-013 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Health Data Services Private Endpoint must be configured'" + }, + { + "policyDefinitionReferenceId": "PEDNS-014", + "message": "PolicyID: PEDNS-014 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Container App Managed Environment Private Endpoint must be configured'" + }, + { + "policyDefinitionReferenceId": "PEDNS-015", + "message": "PolicyID: PEDNS-015 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for App Services slots Private Endpoint must be configured'" + }, + { + "policyDefinitionReferenceId": "PEDNS-016", + "message": "PolicyID: PEDNS-016 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Cognitive Service Accounts Private Endpoint must be configured'" + }, + { + "policyDefinitionReferenceId": "PEDNS-017", + "message": "PolicyID: PEDNS-017 Violation in polset-pedns Initiative - 'The Private Endpoint Private DNS Zone group for Cosmos DB SQL Private Endpoint must be configured'" + } + ] }, "definitionSourceManagementGroupId": "/providers/Microsoft.Management/managementGroups/CONTOSO", "managementGroupId": "CONTOSO" diff --git a/scripts/pipelines/helper/resource-removal-helper.ps1 b/scripts/pipelines/helper/resource-removal-helper.ps1 index 73b3fbe..ec16732 100644 --- a/scripts/pipelines/helper/resource-removal-helper.ps1 +++ b/scripts/pipelines/helper/resource-removal-helper.ps1 @@ -691,6 +691,58 @@ function invokeResourceRemoval { } break } + 'Microsoft.Network/networkSecurityGroups' { + $subscriptionId = $ResourceId.Split('/')[2] + $networkSecurityGroup = Get-AzResource -ResourceId $ResourceId + $networkWatcherName = "NetworkWatcher_$($networkSecurityGroup.Location)" + $networkWatcherResourceGroupName = "NetworkWatcherRG" + $flowLogName = $networkSecurityGroup.Name + '-flowlog' + + $flowLogResourceId = '/subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.Network/networkWatchers/{2}/flowLogs/{3}' -f ` + $subscriptionId, ` + $networkWatcherResourceGroupName, ` + $networkWatcherName, ` + $flowLogName + + # Remove Flow Log associated with NSG + if ($PSCmdlet.ShouldProcess("Resource with ID [$flowLogResourceId]", 'Remove')) { + Write-Verbose ('[-] Removing resource [{0}] of type [Microsoft.Network/networkWatchers/flowLogs]' -f $flowLogName) -Verbose + $null = Remove-AzResource -ResourceId $flowLogResourceId -Force -ErrorAction 'Stop' + } + + # Actual removal + # -------------- + if ($PSCmdlet.ShouldProcess("Resource with ID [$ResourceId]", 'Remove')) { + $null = Remove-AzResource -ResourceId $ResourceId -Force -ErrorAction 'Stop' + } + break + } + 'Microsoft.Network/virtualNetworks' { + $subscriptionId = $ResourceId.Split('/')[2] + $vnet = Get-AzResource -ResourceId $ResourceId + $networkWatcherName = "NetworkWatcher_$($vnet.Location)" + $networkWatcherResourceGroupName = "NetworkWatcherRG" + $flowLogName = $vnet.Name + '-flowlog' + + $flowLogResourceId = '/subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.Network/networkWatchers/{2}/flowLogs/{3}' -f ` + $subscriptionId, ` + $networkWatcherResourceGroupName, ` + $networkWatcherName, ` + $flowLogName + + # Remove Flow Log associated with VNet + if ($PSCmdlet.ShouldProcess("Resource with ID [$flowLogResourceId]", 'Remove')) { + Write-Verbose ('[-] Removing resource [{0}] of type [Microsoft.Network/networkWatchers/flowLogs]' -f $flowLogName) -Verbose + $null = Remove-AzResource -ResourceId $flowLogResourceId -Force -ErrorAction 'Stop' + } + + # Actual removal + # -------------- + if ($PSCmdlet.ShouldProcess("Resource with ID [$ResourceId]", 'Remove')) { + $null = Remove-AzResource -ResourceId $ResourceId -Force -ErrorAction 'Stop' + } + break + } ### CODE LOCATION: Add custom removal action here Default { if ($PSCmdlet.ShouldProcess("Resource with ID [$ResourceId]", 'Remove')) {