From 9491b62c55694e13a4e0182ed94496b9a8dc0b86 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonas=20N=C3=B8rregaard=20Cordsen?= Date: Thu, 6 Feb 2025 13:30:46 +0100 Subject: [PATCH 1/3] Updating exemption for securityContacts to reflect the expected, as of both MCSB and what the policy deploys --- .../Deploy-ASC-SecurityContacts.json | 23 +++++++++---------- 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts.json index 0b86bfaa49..d94a0676c3 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts.json @@ -29,10 +29,7 @@ "effect": { "type": "String", "defaultValue": "DeployIfNotExists", - "allowedValues": [ - "DeployIfNotExists", - "Disabled" - ], + "allowedValues": ["DeployIfNotExists", "Disabled"], "metadata": { "displayName": "Effect", "description": "Enable or disable the execution of the policy" @@ -41,11 +38,7 @@ "minimalSeverity": { "type": "String", "defaultValue": "High", - "allowedValues": [ - "High", - "Medium", - "Low" - ], + "allowedValues": ["High", "Medium", "Low"], "metadata": { "displayName": "Minimal severity", "description": "Defines the minimal alert severity which will be sent as email notifications" @@ -83,6 +76,14 @@ { "field": "Microsoft.Security/securityContacts/notificationsSources[*].Alert.minimalSeverity", "contains": "[[parameters('minimalSeverity')]" + }, + { + "equals": "On", + "field": "Microsoft.Security/securityContacts/notificationsByRole.state" + }, + { + "contains": "Owner", + "field": "Microsoft.Security/securityContacts/notificationsByRole.roles[*]" } ] }, @@ -126,9 +127,7 @@ "isEnabled": true, "notificationsByRole": { "state": "On", - "roles": [ - "Owner" - ] + "roles": ["Owner"] }, "notificationsSources": [ { From b44fee8efb770f04020725984372bee8630fe28d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonas=20N=C3=B8rregaard=20Cordsen?= Date: Fri, 7 Feb 2025 12:03:35 +0100 Subject: [PATCH 2/3] format: improve JSON formatting in Deploy-ASC-SecurityContacts policy definition --- .../Deploy-ASC-SecurityContacts.json | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts.json index d94a0676c3..9529f9f868 100644 --- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts.json +++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts.json @@ -29,7 +29,10 @@ "effect": { "type": "String", "defaultValue": "DeployIfNotExists", - "allowedValues": ["DeployIfNotExists", "Disabled"], + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], "metadata": { "displayName": "Effect", "description": "Enable or disable the execution of the policy" @@ -38,7 +41,11 @@ "minimalSeverity": { "type": "String", "defaultValue": "High", - "allowedValues": ["High", "Medium", "Low"], + "allowedValues": [ + "High", + "Medium", + "Low" + ], "metadata": { "displayName": "Minimal severity", "description": "Defines the minimal alert severity which will be sent as email notifications" @@ -127,7 +134,9 @@ "isEnabled": true, "notificationsByRole": { "state": "On", - "roles": ["Owner"] + "roles": [ + "Owner" + ] }, "notificationsSources": [ { @@ -146,4 +155,4 @@ } } } -} +} \ No newline at end of file From d05187afa280c48adac6b294a9ff0c108e47b814 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonas=20N=C3=B8rregaard=20Cordsen?= Date: Fri, 28 Feb 2025 08:16:17 +0100 Subject: [PATCH 3/3] Building new policies.json as per the changes made in policyDefinition --- .../policyDefinitions/policies.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json index f501fa2b50..4693a10ef6 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.33.13.18514", - "templateHash": "43522018112477838" + "version": "0.27.1.19265", + "templateHash": "17310143839798797507" } }, "parameters": { @@ -181,7 +181,7 @@ "$fxv#36": "{\n \"name\": \"Deny-FileServices-InsecureSmbChannel\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"File Services with insecure SMB channel encryption should be denied\",\n \"description\": \"This policy denies the use of insecure channel encryption (AES-128-CCM) when using File Services on a storage account.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n },\n \"notAllowedChannelEncryption\": {\n \"type\": \"String\",\n \"defaultValue\": \"AES-128-CCM\",\n \"allowedValues\": [\n \"AES-128-CCM\",\n \"AES-128-GCM\",\n \"AES-256-GCM\"\n ],\n \"metadata\": {\n \"displayName\": \"SMB channel encryption supported by server. Valid values are AES-128-CCM, AES-128-GCM, AES-256-GCM.\",\n \"description\": \"The list of channelEncryption not allowed.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/fileServices\"\n },\n {\n \"field\": \"Microsoft.Storage/storageAccounts/fileServices/protocolSettings.smb.channelEncryption\",\n \"contains\": \"[[parameters('notAllowedChannelEncryption')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n }", "$fxv#37": "{\n \"name\": \"Deny-FileServices-InsecureSmbVersions\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"File Services with insecure SMB versions should be denied\",\n \"description\": \"This policy denies the use of insecure versions of SMB (2.1 & 3.0) when using File Services on a storage account.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n },\n \"allowedSmbVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"SMB3.1.1\",\n \"allowedValues\": [\n \"SMB2.1\",\n \"SMB3.0\",\n \"SMB3.1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Allowed SMB Version\",\n \"description\": \"The allowed SMB version for maximum security\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/fileServices\"\n },\n {\n \"not\":\n {\n \"field\": \"Microsoft.Storage/storageAccounts/fileServices/protocolSettings.smb.versions\",\n \"contains\": \"[[parameters('allowedSmbVersion')]\"\n }\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n }", "$fxv#38": "{\n \"name\": \"Deny-FileServices-InsecureAuth\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"File Services with insecure authentication methods should be denied\",\n \"description\": \"This policy denies the use of insecure authentication methods (NTLMv2) when using File Services on a storage account.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"The effect determines what happens when the policy rule is evaluated to match\"\n }\n },\n \"notAllowedAuthMethods\": {\n \"type\": \"String\",\n \"defaultValue\": \"NTLMv2\",\n \"allowedValues\": [\n \"NTLMv2\",\n \"Kerberos\"\n ],\n \"metadata\": {\n \"displayName\": \"Authentication methods supported by server. Valid values are NTLMv2, Kerberos.\",\n \"description\": \"The list of channelEncryption not allowed.\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Storage/storageAccounts/fileServices/protocolSettings.smb.authenticationMethods\",\n \"contains\": \"[[parameters('notAllowedAuthMethods')]\"\n },\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Storage/storageAccounts/fileServices\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\"\n }\n }\n }\n }", - "$fxv#39": "{\n \"name\": \"Deploy-ASC-SecurityContacts\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud Security Contacts\",\n \"description\": \"Deploy Microsoft Defender for Cloud Security Contacts\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email addresses (semi-colon separated) for Defender for Cloud contact details\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"String\",\n \"defaultValue\": \"High\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Security/securityContacts\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Security/securityContacts/email\",\n \"contains\": \"[[parameters('emailSecurityContact')]\"\n },\n {\n \"field\": \"Microsoft.Security/securityContacts/isEnabled\",\n \"equals\": true\n },\n {\n \"field\": \"Microsoft.Security/securityContacts/notificationsSources[*].Alert.minimalSeverity\",\n \"contains\": \"[[parameters('minimalSeverity')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"Security contacts email address\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"Minimal severity level reported\"\n }\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Security/securityContacts\",\n \"name\": \"default\",\n \"apiVersion\": \"2023-12-01-preview\",\n \"properties\": {\n \"emails\": \"[[parameters('emailSecurityContact')]\",\n \"isEnabled\": true,\n \"notificationsByRole\": {\n \"state\": \"On\",\n \"roles\": [\n \"Owner\"\n ]\n },\n \"notificationsSources\": [\n {\n \"sourceType\": \"Alert\",\n \"minimalSeverity\": \"[[parameters('minimalSeverity')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#39": "{\n \"name\": \"Deploy-ASC-SecurityContacts\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud Security Contacts\",\n \"description\": \"Deploy Microsoft Defender for Cloud Security Contacts\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email addresses (semi-colon separated) for Defender for Cloud contact details\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"String\",\n \"defaultValue\": \"High\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Security/securityContacts\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"subscription\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd\"\n ],\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Security/securityContacts/email\",\n \"contains\": \"[[parameters('emailSecurityContact')]\"\n },\n {\n \"field\": \"Microsoft.Security/securityContacts/isEnabled\",\n \"equals\": true\n },\n {\n \"field\": \"Microsoft.Security/securityContacts/notificationsSources[*].Alert.minimalSeverity\",\n \"contains\": \"[[parameters('minimalSeverity')]\"\n },\n {\n \"equals\": \"On\",\n \"field\": \"Microsoft.Security/securityContacts/notificationsByRole.state\"\n },\n {\n \"contains\": \"Owner\",\n \"field\": \"Microsoft.Security/securityContacts/notificationsByRole.roles[*]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"Security contacts email address\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"metadata\": {\n \"description\": \"Minimal severity level reported\"\n }\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Security/securityContacts\",\n \"name\": \"default\",\n \"apiVersion\": \"2023-12-01-preview\",\n \"properties\": {\n \"emails\": \"[[parameters('emailSecurityContact')]\",\n \"isEnabled\": true,\n \"notificationsByRole\": {\n \"state\": \"On\",\n \"roles\": [\n \"Owner\"\n ]\n },\n \"notificationsSources\": [\n {\n \"sourceType\": \"Alert\",\n \"minimalSeverity\": \"[[parameters('minimalSeverity')]\"\n }\n ]\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}", "$fxv#4": "{\n \"name\": \"Append-Redis-sslEnforcement\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS.\",\n \"description\": \"Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Cache\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect Azure Cache for Redis\",\n \"description\": \"Enable or disable the execution of the policy minimum TLS version Azure Cache for Redis\"\n }\n },\n \"minimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"Select version for Redis server\",\n \"description\": \"Select version minimum TLS version Azure Cache for Redis to enforce\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Cache/redis\"\n },\n {\n \"anyOf\": [\n {\n \"field\": \"Microsoft.Cache/Redis/minimumTlsVersion\",\n \"less\": \"[[parameters('minimumTlsVersion')]\"\n }\n ]\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": [\n {\n \"field\": \"Microsoft.Cache/Redis/minimumTlsVersion\",\n \"value\": \"[[parameters('minimumTlsVersion')]\"\n }\n ]\n }\n }\n }\n}\n", "$fxv#40": "{\n \"name\": \"Deploy-Custom-Route-Table\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"Indexed\",\n \"displayName\": \"Deploy a route table with specific user defined routes\",\n \"description\": \"Deploys a route table with specific user defined routes when one does not exist. The route table deployed by the policy must be manually associated to subnet(s)\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"requiredRoutes\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"requiredRoutes\",\n \"description\": \"Routes that must exist in compliant route tables deployed by this policy\"\n }\n },\n \"vnetRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"vnetRegion\",\n \"description\": \"Only VNets in this region will be evaluated against this policy\"\n }\n },\n \"routeTableName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"routeTableName\",\n \"description\": \"Name of the route table automatically deployed by this policy\"\n }\n },\n \"disableBgpPropagation\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"DisableBgpPropagation\",\n \"description\": \"Disable BGP Propagation\"\n },\n \"defaultValue\": false\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Network/virtualNetworks\"\n },\n {\n \"field\": \"location\",\n \"equals\": \"[[parameters('vnetRegion')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/routeTables\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"name\",\n \"equals\": \"[[parameters('routeTableName')]\"\n },\n {\n \"count\": {\n \"field\": \"Microsoft.Network/routeTables/routes[*]\",\n \"where\": {\n \"value\": \"[[concat(current('Microsoft.Network/routeTables/routes[*].addressPrefix'), ';', current('Microsoft.Network/routeTables/routes[*].nextHopType'), if(equals(toLower(current('Microsoft.Network/routeTables/routes[*].nextHopType')),'virtualappliance'), concat(';', current('Microsoft.Network/routeTables/routes[*].nextHopIpAddress')), ''))]\",\n \"in\": \"[[parameters('requiredRoutes')]\"\n }\n },\n \"equals\": \"[[length(parameters('requiredRoutes'))]\"\n }\n ]\n },\n \"roleDefinitionIds\": [\n \"/subscriptions/e867a45d-e513-44ac-931e-4741cef80b24/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"routeTableName\": {\n \"type\": \"string\"\n },\n \"vnetRegion\": {\n \"type\": \"string\"\n },\n \"requiredRoutes\": {\n \"type\": \"array\"\n },\n \"disableBgpPropagation\": {\n \"type\": \"bool\"\n }\n },\n \"variables\": {\n \"copyLoop\": [\n {\n \"name\": \"routes\",\n \"count\": \"[[[length(parameters('requiredRoutes'))]\",\n \"input\": {\n \"name\": \"[[[concat('route-',copyIndex('routes'))]\",\n \"properties\": {\n \"addressPrefix\": \"[[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[0]]\",\n \"nextHopType\": \"[[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]]\",\n \"nextHopIpAddress\": \"[[[if(equals(toLower(split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]),'virtualappliance'),split(parameters('requiredRoutes')[copyIndex('routes')], ';')[2], null())]\"\n }\n }\n }\n ]\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"routeTableDepl\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"routeTableName\": {\n \"type\": \"string\"\n },\n \"vnetRegion\": {\n \"type\": \"string\"\n },\n \"requiredRoutes\": {\n \"type\": \"array\"\n },\n \"disableBgpPropagation\": {\n \"type\": \"bool\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/routeTables\",\n \"apiVersion\": \"2021-02-01\",\n \"name\": \"[[[parameters('routeTableName')]\",\n \"location\": \"[[[parameters('vnetRegion')]\",\n \"properties\": {\n \"disableBgpRoutePropagation\": \"[[[parameters('disableBgpPropagation')]\",\n \"copy\": \"[[variables('copyLoop')]\"\n }\n }\n ]\n },\n \"parameters\": {\n \"routeTableName\": {\n \"value\": \"[[parameters('routeTableName')]\"\n },\n \"vnetRegion\": {\n \"value\": \"[[parameters('vnetRegion')]\"\n },\n \"requiredRoutes\": {\n \"value\": \"[[parameters('requiredRoutes')]\"\n },\n \"disableBgpPropagation\": {\n \"value\": \"[[parameters('disableBgpPropagation')]\"\n }\n }\n }\n }\n ]\n },\n \"parameters\": {\n \"routeTableName\": {\n \"value\": \"[[parameters('routeTableName')]\"\n },\n \"vnetRegion\": {\n \"value\": \"[[parameters('vnetRegion')]\"\n },\n \"requiredRoutes\": {\n \"value\": \"[[parameters('requiredRoutes')]\"\n },\n \"disableBgpPropagation\": {\n \"value\": \"[[parameters('disableBgpPropagation')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", "$fxv#41": "{\n \"name\": \"Deploy-DDoSProtection\",\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy an Azure DDoS Network Protection\",\n \"description\": \"Deploys an Azure DDoS Network Protection\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"ddosName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"ddosName\",\n \"description\": \"DDoSVnet\"\n }\n },\n \"ddosRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"ddosRegion\",\n \"description\": \"DDoSVnet location\",\n \"strongType\": \"location\"\n }\n },\n \"rgName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"rgName\",\n \"description\": \"Provide name for resource group.\"\n }\n },\n \"effect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.Resources/subscriptions\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"type\": \"Microsoft.Network/ddosProtectionPlans\",\n \"deploymentScope\": \"subscription\",\n \"existenceScope\": \"resourceGroup\",\n \"resourceGroupName\": \"[[parameters('rgName')]\",\n \"name\": \"[[parameters('ddosName')]\",\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n ],\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"Incremental\",\n \"parameters\": {\n \"rgName\": {\n \"value\": \"[[parameters('rgName')]\"\n },\n \"ddosname\": {\n \"value\": \"[[parameters('ddosname')]\"\n },\n \"ddosregion\": {\n \"value\": \"[[parameters('ddosRegion')]\"\n }\n },\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"rgName\": {\n \"type\": \"String\"\n },\n \"ddosname\": {\n \"type\": \"String\"\n },\n \"ddosRegion\": {\n \"type\": \"String\"\n }\n },\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"apiVersion\": \"2018-05-01\",\n \"name\": \"[[parameters('rgName')]\",\n \"location\": \"[[deployment().location]\",\n \"properties\": {}\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2018-05-01\",\n \"name\": \"ddosprotection\",\n \"resourceGroup\": \"[[parameters('rgName')]\",\n \"dependsOn\": [\n \"[[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Network/ddosProtectionPlans\",\n \"apiVersion\": \"2019-12-01\",\n \"name\": \"[[parameters('ddosName')]\",\n \"location\": \"[[parameters('ddosRegion')]\",\n \"properties\": {}\n }\n ],\n \"outputs\": {}\n }\n }\n }\n ],\n \"outputs\": {}\n }\n }\n }\n }\n }\n }\n }\n}\n",