From dd486baf564c3972f21ae670fbcc0b5fb23f05f3 Mon Sep 17 00:00:00 2001 From: Janaki Devi Kantamneni <115656497+jkantamneni@users.noreply.github.com> Date: Thu, 14 Dec 2023 06:36:25 -0600 Subject: [PATCH] Release 1.0.0 (#13) * Release 1.0.0 * Release 1.0.0 * Release 1.0.0 --------- Co-authored-by: Microsoft Open Source --- README.md | 10 +-- .../modules/customRoleDefinitions/README.md | 2 +- .../bicep/modules/hubNetworking/README.md | 25 ++++++ .../generateddocs/hubNetworking.bicep.md | 42 ++++++++- .../modules/hubNetworking/hubNetworking.bicep | 36 +++++++- .../hubNetworking.parameters.all.json | 13 ++- .../hubNetworking.parameters.min.json | 3 + .../mc-hubNetworking.parameters.all.json | 12 ++- .../mc-hubNetworking.parameters.min.json | 3 + .../alzDefaultPolicyAssignments.bicep | 88 +++++++++++++------ .../alzDefaultPolicyAssignments.bicep.md | 20 ++++- .../mc-alzDefaultPolicyAssignments.bicep.md | 4 +- .../mc-alzDefaultPolicyAssignments.bicep | 2 +- ...faultPolicyAssignments.parameters.all.json | 9 ++ ...y_assignment_es_audit_pednszones.tmpl.json | 1 + ...ssignment_es_deny_databricks_sku.tmpl.json | 2 +- ...ment_es_deploy_private_dns_zones.tmpl.json | 3 + .../definitions/customPolicyDefinitions.bicep | 46 +++++++++- ..._definition_es_mc_Deny-Databricks-Sku.json | 4 +- ...finition_es_Audit-PrivateLinkDnsZones.json | 3 +- ...icy_definition_es_Deny-Databricks-Sku.json | 2 +- ...y-MachineLearning-PublicNetworkAccess.json | 3 +- ...ition_es_Deny-MgmtPorts-From-Internet.json | 1 + ...cy_definition_es_Deny-PostgreSql-http.json | 4 +- ...nition_es_Deny-PublicEndpoint-MariaDB.json | 3 +- .../policy_definition_es_Deny-PublicIP.json | 3 +- ..._definition_es_Deny-RDP-From-Internet.json | 3 +- ...definition_es_DenyAction-ActivityLogs.json | 38 ++++++++ ...finition_es_DenyAction-DiagnosticLogs.json | 38 ++++++++ ...nition_es_Deploy-Diagnostics-CosmosDB.json | 6 +- ...nition_es_Deploy-MySQL-sslEnforcement.json | 4 +- ...finition_es_Deploy-Nsg-FlowLogs-to-LA.json | 3 +- ...icy_definition_es_Deploy-Nsg-FlowLogs.json | 3 +- ...n_es_Deploy-PostgreSQL-sslEnforcement.json | 4 +- ...olicy_definition_es_Deploy-SQL-minTLS.json | 4 +- .../policy_definition_es_Deploy-Sql-Tde.json | 1 + ...icy_definition_es_Deploy-SqlMi-minTLS.json | 5 +- ...tion_es_Deploy-Storage-sslEnforcement.json | 4 +- ...nition_es_DenyAction-DeleteProtection.json | 37 ++++++++ ...enyAction-DeleteProtection.parameters.json | 8 ++ ..._set_definition_es_Deploy-MDFC-Config.json | 6 +- ...tion_es_Deploy-MDFC-Config.parameters.json | 2 +- ...efinition_es_Deploy-Private-DNS-Zones.json | 45 +++++++++- ...s_Deploy-Private-DNS-Zones.parameters.json | 28 +++++- .../generateddocs/privateDnsZones.bicep.md | 13 ++- .../privateDnsZones.parameters.all.json | 4 + .../privateDnsZones.parameters.min.json | 1 + .../privateDnsZones/privateDnsZones.bicep | 18 +++- .../samples/baseline.sample.bicep | 1 + .../bicep/modules/roleAssignments/README.md | 10 +-- .../subscriptionPlacement.bicep | 2 +- .../generateddocs/vwanConnectivity.bicep.md | 38 +++++++- .../mc-vwanConnectivity.parameters.all.json | 6 ++ .../mc-vwanConnectivity.parameters.min.json | 3 + .../vwanConnectivity.parameters.all.json | 10 +++ .../vwanConnectivity.parameters.min.json | 3 + .../samples/baseline.sample.bicep | 22 ++--- .../vwanConnectivity/vwanConnectivity.bicep | 28 ++++++ .../generateddocs/hubPeeredSpoke.bicep.md | 4 +- .../hubPeeredSpoke/hubPeeredSpoke.bicep | 2 +- .../generateddocs/mgDiagSettingsAll.bicep.md | 4 +- .../mgDiagSettingsAll/mgDiagSettingsAll.bicep | 2 +- .../generateddocs/subPlacementAll.bicep.md | 4 +- .../subPlacementAll/subPlacementAll.bicep | 2 +- docs/01-Overview.md | 24 ++--- docs/02-Architecture.md | 12 +-- docs/03-Deployment-Overview.md | 14 +-- docs/04-Repository-Setup.md | 10 +-- docs/05-Permissions-Tooling.md | 26 +++--- docs/06-Upgrade-Existing-SLZ-Preview.md | 30 +++---- docs/07-Deployment-Parameters.md | 26 +++--- ...Deploy-SLZ-Preview.md => 08-Deploy-SLZ.md} | 4 +- docs/09-Customize-Policies.md | 8 +- docs/10-Compliance-Dashboard.md | 16 ++-- docs/11-Conclusion.md | 8 +- docs/12-FAQ.md | 40 ++++----- docs/13-Troubleshooting.md | 34 +++---- docs/NOTICE.md | 3 + docs/PREVIEW.md | 3 - docs/scenarios/Custom-Policies.md | 12 +-- .../Expanding-SLZ-ManagementGroups.md | 10 ++- .../Extending-Compliance-Dashboard.md | 6 +- docs/scenarios/Landing-Zone-Vending.md | 14 +-- docs/scenarios/Piloting-SLZ.md | 14 +-- docs/scenarios/Pipeline-Deployments.md | 19 ++-- docs/scenarios/README.md | 18 ++-- docs/scenarios/Removing-Policy-Assignments.md | 16 ++-- ...overeignty-Baseline-Policy-Initiatives.md} | 10 ++- .../scenarios/Using-Existing-Subscriptions.md | 12 +-- docs/scenarios/Using-Policy-Portfolio.md | 8 +- modules/compliance/defaultCompliance.bicep | 3 + .../slzConfidentialDefaults.json | 3 + .../slzGlobalDefaults.json | 12 +++ orchestration/const/doNotRetryErrorCodes.json | 60 +++++++------ orchestration/dashboard/dashboard.bicep | 2 +- orchestration/scripts/Invoke-Helper.ps1 | 2 +- orchestration/scripts/New-Bootstrap.ps1 | 4 + .../scripts/New-SovereignLandingZone.ps1 | 5 -- .../sovereignLandingZone.parameters.json | 20 ++--- 99 files changed, 927 insertions(+), 341 deletions(-) create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_DenyAction-ActivityLogs.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_DenyAction-DiagnosticLogs.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_DenyAction-DeleteProtection.json create mode 100644 dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_DenyAction-DeleteProtection.parameters.json rename docs/{08-Deploy-SLZ-Preview.md => 08-Deploy-SLZ.md} (91%) create mode 100644 docs/NOTICE.md delete mode 100644 docs/PREVIEW.md rename docs/scenarios/{Sovereignty-Policy-Baseline.md => Sovereignty-Baseline-Policy-Initiatives.md} (76%) diff --git a/README.md b/README.md index e23a8ed..a0ff72b 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,8 @@ -# Sovereign Landing Zone Preview +# Sovereign Landing Zone -The Sovereign Landing Zone (SLZ) Preview provides opinionated infrastructure-as-code automation for deploying workloads that help meet certain regulatory compliance requirements for the public sector and government agencies around the world. +The Sovereign Landing Zone (SLZ) is a [Microsoft Cloud for Sovereignty](https://microsoft.com/sovereignty) offering that provides opinionated infrastructure-as-code automation for deploying workloads to help meet regulatory compliance requirements for the public sector and government agencies around the world. -You can begin by navigating to the [Overview](/docs/01-Overview.md) document to begin. The documentation will cover the concepts around SLZ Preview, architecture, and deployment paths. Please reference [FAQ's](/docs/12-FAQ.md) for common questions and [Troubleshooting](/docs/13-Troubleshooting.md) for common issues. +You can begin by navigating to the [Overview](/docs/01-Overview.md) document. The documentation will cover the concepts around SLZ, architecture, and deployment paths. Please reference [FAQ's](/docs/12-FAQ.md) for common questions and [Troubleshooting](/docs/13-Troubleshooting.md) for common issues. ## Contributing @@ -35,6 +35,6 @@ trademarks or logos is subject to and must follow Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies. -## Preview Notice +## Microsoft Legal Notice -**Preview Terms**. The Sovereign Landing Zone Preview (the "PREVIEW") is licensed to you as part of your [Azure subscription](https://azure.microsoft.com/en-us/support/legal/) and subject to terms applicable to "Previews" as detailed in the Universal License Terms for Online Services section of the Microsoft Product Terms and the [Microsoft Products and Services Data Protection Addendum ("DPA")](https://www.microsoft.com/licensing/terms/welcome/welcomepage). AS STATED IN THOSE TERMS, PREVIEWS ARE PROVIDED "AS-IS," "WITH ALL FAULTS," AND "AS AVAILABLE," AND ARE EXCLUDED FROM THE SERVICE LEVEL AGREEMENTS AND LIMITED WARRANTY. Previews may employ lesser or different privacy and security measures than those typically present in Azure Services. Unless otherwise noted, you should not use Previews to process Personal Data or other data that is subject to legal or regulatory compliance requirements. The following terms in the [DPA](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) do not apply to Previews: Processing of Personal Data; GDPR, Data Security, and HIPAA Business Associate. We may change or discontinue Previews at any time without notice. We also may choose not to release a Preview into General Availability. +The **Sovereign Landing Zone** (1) is not designed, intended, or made available as legal services, (2) is not intended to substitute for professional legal counsel or judgment, and (3) should not be used in place of consulting with a qualified professional legal professional for your specific needs. Microsoft makes no warranty that the **Sovereign Landing Zone** is accurate, up-to-date, or complete. You are wholly responsible for ensuring your own compliance with all applicable laws and regulations. diff --git a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/README.md b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/README.md index c288fa9..9340eaf 100644 --- a/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/README.md +++ b/dependencies/infra-as-code/bicep/modules/customRoleDefinitions/README.md @@ -9,7 +9,7 @@ Module supports the following custom roles: - [*ManagementGroupId] Network management (NetOps) - [*ManagementGroupId] Security operations (SecOps) -*The custom role names are prefixed with `[ManagementGroupId]` since custom roles scoped at Management Group level must be unique within the Azure AD tenant. This will alleviate any conflicts if you chose to deploy a [canary environment](https://aka.ms/alz/canary). +*The custom role names are prefixed with `[ManagementGroupId]` since custom roles scoped at Management Group level must be unique within the Microsoft Entra tenant. This will alleviate any conflicts if you chose to deploy a [canary environment](https://aka.ms/alz/canary). For example, if the `ManagementGroupId` = **alz**, then each role will have this prefix **[alz]** like `[alz] Subscription owner`. See the [example output deployment](#example-deployment-output) below. ## Parameters diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/README.md b/dependencies/infra-as-code/bicep/modules/hubNetworking/README.md index da89c09..8cbc58f 100644 --- a/dependencies/infra-as-code/bicep/modules/hubNetworking/README.md +++ b/dependencies/infra-as-code/bicep/modules/hubNetworking/README.md @@ -35,6 +35,31 @@ Module deploys the following resources: > > See child module, [`privateDnsZones.bicep` docs](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/privateDnsZones#dns-zones) for more info on how this works +To configure P2S VPN connections edit the vpnClientConfiguration value in the `parVpnGatewayConfig` parameter. + +AAD Authentication Example: + +```bicep +"vpnClientConfiguration": { + "vpnClientAddressPool": { + "addressPrefixes": [ + "172.16.0.0/24" + ] + }, + "vpnClientProtocols": [ + "OpenVPN" + ], + "vpnAuthenticationTypes": [ + "AAD" + ], + "aadTenant": "https://login.microsoftonline.com/{AzureAD TenantID}", + "aadAudience": "41b23e61-6c1e-4545-b367-cd054e0ed4b4", + "aadIssuer": "https://sts.windows.net/{AzureAD TenantID}/" +} +``` + +Replace the values for `aadTenant`, `aadAudience`, and `aadIssuer` as documented [here](https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant#enable-authentication) + ## Outputs The module will generate the following outputs: diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md b/dependencies/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md index 738a4cb..bab8c10 100644 --- a/dependencies/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md +++ b/dependencies/infra-as-code/bicep/modules/hubNetworking/generateddocs/hubNetworking.bicep.md @@ -26,16 +26,19 @@ parAzFirewallEnabled | No | Switch to enable/disable Azure Firewall deploy parAzFirewallName | No | Azure Firewall Name. parAzFirewallPoliciesName | No | Azure Firewall Policies Name. parAzFirewallTier | No | Azure Firewall Tier associated with the Firewall to deploy. +parAzFirewallIntelMode | No | The Azure Firewall Threat Intelligence Mode. If not set, the default value is Alert. parAzFirewallAvailabilityZones | No | Availability Zones to deploy the Azure Firewall across. Region must support Availability Zones to use. If it does not then leave empty. parAzErGatewayAvailabilityZones | No | Availability Zones to deploy the VPN/ER PIP across. Region must support Availability Zones to use. If it does not then leave empty. Ensure that you select a zonal SKU for the ER/VPN Gateway if using Availability Zones for the PIP. parAzVpnGatewayAvailabilityZones | No | Availability Zones to deploy the VPN/ER PIP across. Region must support Availability Zones to use. If it does not then leave empty. Ensure that you select a zonal SKU for the ER/VPN Gateway if using Availability Zones for the PIP. parAzFirewallDnsProxyEnabled | No | Switch to enable/disable Azure Firewall DNS Proxy. +parAzFirewallDnsServers | No | Array of custom DNS servers used by Azure Firewall parHubRouteTableName | No | Name of Route table to create for the default route of Hub. parDisableBgpRoutePropagation | No | Switch to enable/disable BGP Propagation on route table. parPrivateDnsZonesEnabled | No | Switch to enable/disable Private DNS Zones deployment. parPrivateDnsZonesResourceGroup | No | Resource Group Name for Private DNS Zones. parPrivateDnsZones | No | Array of DNS Zones to provision in Hub Virtual Network. Default: All known Azure Private DNS Zones parPrivateDnsZoneAutoMergeAzureBackupZone | No | Set Parameter to false to skip the addition of a Private DNS Zone for Azure Backup. +parVirtualNetworkIdToLinkFailover | No | Resource ID of Failover VNet for Private DNS Zone VNet Failover Links parVpnGatewayConfig | No | Configuration for VPN virtual network gateway to be deployed. If a VPN virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. "parVpnGatewayConfig": { "value": {} } parExpressRouteGatewayConfig | No | Configuration for ExpressRoute virtual network gateway to be deployed. If a ExpressRoute virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. "parExpressRouteGatewayConfig": { "value": {} } parTags | No | Tags you would like to be applied to all resources in this module. @@ -204,6 +207,16 @@ Azure Firewall Tier associated with the Firewall to deploy. - Allowed values: `Basic`, `Standard`, `Premium` +### parAzFirewallIntelMode + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The Azure Firewall Threat Intelligence Mode. If not set, the default value is Alert. + +- Default value: `Alert` + +- Allowed values: `Alert`, `Deny`, `Off` + ### parAzFirewallAvailabilityZones ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) @@ -236,6 +249,12 @@ Switch to enable/disable Azure Firewall DNS Proxy. - Default value: `True` +### parAzFirewallDnsServers + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Array of custom DNS servers used by Azure Firewall + ### parHubRouteTableName ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) @@ -274,7 +293,7 @@ Resource Group Name for Private DNS Zones. Array of DNS Zones to provision in Hub Virtual Network. Default: All known Azure Private DNS Zones -- Default value: `[format('privatelink.{0}.azmk8s.io', toLower(parameters('parLocation')))] [format('privatelink.{0}.batch.azure.com', toLower(parameters('parLocation')))] [format('privatelink.{0}.kusto.windows.net', toLower(parameters('parLocation')))] privatelink.adf.azure.com privatelink.afs.azure.net privatelink.agentsvc.azure-automation.net privatelink.analysis.windows.net privatelink.api.azureml.ms privatelink.azconfig.io privatelink.azure-api.net privatelink.azure-automation.net privatelink.azurecr.io privatelink.azure-devices.net privatelink.azure-devices-provisioning.net privatelink.azurehdinsight.net privatelink.azurehealthcareapis.com privatelink.azurestaticapps.net privatelink.azuresynapse.net privatelink.azurewebsites.net privatelink.batch.azure.com privatelink.blob.core.windows.net privatelink.cassandra.cosmos.azure.com privatelink.cognitiveservices.azure.com privatelink.database.windows.net privatelink.datafactory.azure.net privatelink.dev.azuresynapse.net privatelink.dfs.core.windows.net privatelink.dicom.azurehealthcareapis.com privatelink.digitaltwins.azure.net privatelink.directline.botframework.com privatelink.documents.azure.com privatelink.eventgrid.azure.net privatelink.file.core.windows.net privatelink.gremlin.cosmos.azure.com privatelink.guestconfiguration.azure.com privatelink.his.arc.azure.com privatelink.kubernetesconfiguration.azure.com privatelink.managedhsm.azure.net privatelink.mariadb.database.azure.com privatelink.media.azure.net privatelink.mongo.cosmos.azure.com privatelink.monitor.azure.com privatelink.mysql.database.azure.com privatelink.notebooks.azure.net privatelink.ods.opinsights.azure.com privatelink.oms.opinsights.azure.com privatelink.pbidedicated.windows.net privatelink.postgres.database.azure.com privatelink.prod.migration.windowsazure.com privatelink.purview.azure.com privatelink.purviewstudio.azure.com privatelink.queue.core.windows.net privatelink.redis.cache.windows.net privatelink.redisenterprise.cache.azure.net privatelink.search.windows.net privatelink.service.signalr.net privatelink.servicebus.windows.net privatelink.siterecovery.windowsazure.com privatelink.sql.azuresynapse.net privatelink.table.core.windows.net privatelink.table.cosmos.azure.com privatelink.tip1.powerquery.microsoft.com privatelink.token.botframework.com privatelink.vaultcore.azure.net privatelink.web.core.windows.net privatelink.webpubsub.azure.com` +- Default value: `[format('privatelink.{0}.azmk8s.io', toLower(parameters('parLocation')))] [format('privatelink.{0}.batch.azure.com', toLower(parameters('parLocation')))] [format('privatelink.{0}.kusto.windows.net', toLower(parameters('parLocation')))] privatelink.adf.azure.com privatelink.afs.azure.net privatelink.agentsvc.azure-automation.net privatelink.analysis.windows.net privatelink.api.azureml.ms privatelink.azconfig.io privatelink.azure-api.net privatelink.azure-automation.net privatelink.azurecr.io privatelink.azure-devices.net privatelink.azure-devices-provisioning.net privatelink.azuredatabricks.net privatelink.azurehdinsight.net privatelink.azurehealthcareapis.com privatelink.azurestaticapps.net privatelink.azuresynapse.net privatelink.azurewebsites.net privatelink.batch.azure.com privatelink.blob.core.windows.net privatelink.cassandra.cosmos.azure.com privatelink.cognitiveservices.azure.com privatelink.database.windows.net privatelink.datafactory.azure.net privatelink.dev.azuresynapse.net privatelink.dfs.core.windows.net privatelink.dicom.azurehealthcareapis.com privatelink.digitaltwins.azure.net privatelink.directline.botframework.com privatelink.documents.azure.com privatelink.eventgrid.azure.net privatelink.file.core.windows.net privatelink.gremlin.cosmos.azure.com privatelink.guestconfiguration.azure.com privatelink.his.arc.azure.com privatelink.kubernetesconfiguration.azure.com privatelink.managedhsm.azure.net privatelink.mariadb.database.azure.com privatelink.media.azure.net privatelink.mongo.cosmos.azure.com privatelink.monitor.azure.com privatelink.mysql.database.azure.com privatelink.notebooks.azure.net privatelink.ods.opinsights.azure.com privatelink.oms.opinsights.azure.com privatelink.pbidedicated.windows.net privatelink.postgres.database.azure.com privatelink.prod.migration.windowsazure.com privatelink.purview.azure.com privatelink.purviewstudio.azure.com privatelink.queue.core.windows.net privatelink.redis.cache.windows.net privatelink.redisenterprise.cache.azure.net privatelink.search.windows.net privatelink.service.signalr.net privatelink.servicebus.windows.net privatelink.siterecovery.windowsazure.com privatelink.sql.azuresynapse.net privatelink.table.core.windows.net privatelink.table.cosmos.azure.com privatelink.tip1.powerquery.microsoft.com privatelink.token.botframework.com privatelink.vaultcore.azure.net privatelink.web.core.windows.net privatelink.webpubsub.azure.com` ### parPrivateDnsZoneAutoMergeAzureBackupZone @@ -284,6 +303,12 @@ Set Parameter to false to skip the addition of a Private DNS Zone for Azure Back - Default value: `True` +### parVirtualNetworkIdToLinkFailover + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Resource ID of Failover VNet for Private DNS Zone VNet Failover Links + ### parVpnGatewayConfig ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) @@ -293,7 +318,7 @@ Configuration for VPN virtual network gateway to be deployed. If a VPN virtual n "value": {} } -- Default value: `@{name=[format('{0}-Vpn-Gateway', parameters('parCompanyPrefix'))]; gatewayType=Vpn; sku=VpnGw1; vpnType=RouteBased; generation=Generation1; enableBgp=False; activeActive=False; enableBgpRouteTranslationForNat=False; enableDnsForwarding=False; bgpPeeringAddress=; bgpsettings=}` +- Default value: `@{name=[format('{0}-Vpn-Gateway', parameters('parCompanyPrefix'))]; gatewayType=Vpn; sku=VpnGw1; vpnType=RouteBased; generation=Generation1; enableBgp=False; activeActive=False; enableBgpRouteTranslationForNat=False; enableDnsForwarding=False; bgpPeeringAddress=; bgpsettings=; vpnClientConfiguration=}` ### parExpressRouteGatewayConfig @@ -437,6 +462,9 @@ outHubVirtualNetworkId | string | "parAzFirewallTier": { "value": "Standard" }, + "parAzFirewallIntelMode": { + "value": "Alert" + }, "parAzFirewallAvailabilityZones": { "value": [] }, @@ -449,6 +477,9 @@ outHubVirtualNetworkId | string | "parAzFirewallDnsProxyEnabled": { "value": true }, + "parAzFirewallDnsServers": { + "value": [] + }, "parHubRouteTableName": { "value": "[format('{0}-hub-routetable', parameters('parCompanyPrefix'))]" }, @@ -477,6 +508,7 @@ outHubVirtualNetworkId | string | "privatelink.azurecr.io", "privatelink.azure-devices.net", "privatelink.azure-devices-provisioning.net", + "privatelink.azuredatabricks.net", "privatelink.azurehdinsight.net", "privatelink.azurehealthcareapis.com", "privatelink.azurestaticapps.net", @@ -534,6 +566,9 @@ outHubVirtualNetworkId | string | "parPrivateDnsZoneAutoMergeAzureBackupZone": { "value": true }, + "parVirtualNetworkIdToLinkFailover": { + "value": "" + }, "parVpnGatewayConfig": { "value": { "name": "[format('{0}-Vpn-Gateway', parameters('parCompanyPrefix'))]", @@ -550,7 +585,8 @@ outHubVirtualNetworkId | string | "asn": 65515, "bgpPeeringAddress": "", "peerWeight": 5 - } + }, + "vpnClientConfiguration": {} } }, "parExpressRouteGatewayConfig": { diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep b/dependencies/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep index 4a62a4d..e6e10cb 100644 --- a/dependencies/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep +++ b/dependencies/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep @@ -99,6 +99,14 @@ param parAzFirewallPoliciesName string = '${parCompanyPrefix}-azfwpolicy-${parLo ]) param parAzFirewallTier string = 'Standard' +@sys.description('The Azure Firewall Threat Intelligence Mode. If not set, the default value is Alert.') +@allowed([ + 'Alert' + 'Deny' + 'Off' +]) +param parAzFirewallIntelMode string = 'Alert' + @allowed([ '1' '2' @@ -126,6 +134,9 @@ param parAzVpnGatewayAvailabilityZones array = [] @sys.description('Switch to enable/disable Azure Firewall DNS Proxy.') param parAzFirewallDnsProxyEnabled bool = true +@sys.description('Array of custom DNS servers used by Azure Firewall') +param parAzFirewallDnsServers array = [] + @sys.description('Name of Route table to create for the default route of Hub.') param parHubRouteTableName string = '${parCompanyPrefix}-hub-routetable' @@ -154,6 +165,7 @@ param parPrivateDnsZones array = [ 'privatelink.azurecr.io' 'privatelink.azure-devices.net' 'privatelink.azure-devices-provisioning.net' + 'privatelink.azuredatabricks.net' 'privatelink.azurehdinsight.net' 'privatelink.azurehealthcareapis.com' 'privatelink.azurestaticapps.net' @@ -211,6 +223,9 @@ param parPrivateDnsZones array = [ @sys.description('Set Parameter to false to skip the addition of a Private DNS Zone for Azure Backup.') param parPrivateDnsZoneAutoMergeAzureBackupZone bool = true +@sys.description('Resource ID of Failover VNet for Private DNS Zone VNet Failover Links') +param parVirtualNetworkIdToLinkFailover string = '' + //ASN must be 65515 if deploying VPN & ER for co-existence to work: https://docs.microsoft.com/en-us/azure/expressroute/expressroute-howto-coexist-resource-manager#limits-and-limitations @sys.description('''Configuration for VPN virtual network gateway to be deployed. If a VPN virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. "parVpnGatewayConfig": { @@ -232,6 +247,7 @@ param parVpnGatewayConfig object = { bgpPeeringAddress: '' peerWeight: 5 } + vpnClientConfiguration: {} } @sys.description('''Configuration for ExpressRoute virtual network gateway to be deployed. If a ExpressRoute virtual network gateway is not desired an empty object should be used as the input parameter in the parameter file, i.e. @@ -555,7 +571,7 @@ module modGatewayPublicIp '../publicIp/publicIp.bicep' = [for (gateway, i) in va name: 'deploy-Gateway-Public-IP-${i}' params: { parLocation: parLocation - parAvailabilityZones: gateway.gatewayType == 'ExpressRoute' ? parAzErGatewayAvailabilityZones : gateway.gatewayType == 'Vpn' ? parAzVpnGatewayAvailabilityZones : [] + parAvailabilityZones: toLower(gateway.gatewayType) == 'expressroute' ? parAzErGatewayAvailabilityZones : toLower(gateway.gatewayType) == 'vpn' ? parAzVpnGatewayAvailabilityZones : [] parPublicIpName: '${parPublicIpPrefix}${gateway.name}${parPublicIpSuffix}' parPublicIpProperties: { publicIpAddressVersion: 'IPv4' @@ -581,12 +597,23 @@ resource resGateway 'Microsoft.Network/virtualNetworkGateways@2023-02-01' = [for enableDnsForwarding: gateway.enableDnsForwarding bgpSettings: (gateway.enableBgp) ? gateway.bgpSettings : null gatewayType: gateway.gatewayType - vpnGatewayGeneration: (gateway.gatewayType == 'VPN') ? gateway.generation : 'None' + vpnGatewayGeneration: (toLower(gateway.gatewayType) == 'vpn') ? gateway.generation : 'None' vpnType: gateway.vpnType sku: { name: gateway.sku tier: gateway.sku } + vpnClientConfiguration: (toLower(gateway.gatewayType) == 'vpn') ? { + vpnClientAddressPool: contains(gateway.vpnClientConfiguration, 'vpnClientAddressPool') ? gateway.vpnClientConfiguration.vpnClientAddressPool : '' + vpnClientProtocols: contains(gateway.vpnClientConfiguration, 'vpnClientProtocols') ? gateway.vpnClientConfiguration.vpnClientProtocols : '' + vpnAuthenticationTypes: contains(gateway.vpnClientConfiguration, 'vpnAuthenticationTypes') ? gateway.vpnClientConfiguration.vpnAuthenticationTypes : '' + aadTenant: contains(gateway.vpnClientConfiguration, 'aadTenant') ? gateway.vpnClientConfiguration.aadTenant : '' + aadAudience: contains(gateway.vpnClientConfiguration, 'aadAudience') ? gateway.vpnClientConfiguration.aadAudience : '' + aadIssuer: contains(gateway.vpnClientConfiguration, 'aadIssuer') ? gateway.vpnClientConfiguration.aadIssuer : '' + vpnClientRootCertificates: contains(gateway.vpnClientConfiguration, 'vpnClientRootCertificates') ? gateway.vpnClientConfiguration.vpnClientRootCertificates : '' + radiusServerAddress: contains(gateway.vpnClientConfiguration, 'radiusServerAddress') ? gateway.vpnClientConfiguration.radiusServerAddress : '' + radiusServerSecret: contains(gateway.vpnClientConfiguration, 'radiusServerSecret') ? gateway.vpnClientConfiguration.radiusServerSecret : '' + } : null ipConfigurations: [ { id: resHubVnet.id @@ -651,7 +678,6 @@ module modAzureFirewallMgmtPublicIp '../publicIp/publicIp.bicep' = if (parAzFire } resource resFirewallPolicies 'Microsoft.Network/firewallPolicies@2023-02-01' = if (parAzFirewallEnabled) { - dependsOn:[resHubVnet, modAzureFirewallPublicIp, modAzureFirewallMgmtPublicIp] name: parAzFirewallPoliciesName location: parLocation tags: parTags @@ -659,13 +685,16 @@ resource resFirewallPolicies 'Microsoft.Network/firewallPolicies@2023-02-01' = i sku: { tier: parAzFirewallTier } + threatIntelMode: 'Alert' } : { dnsSettings: { enableProxy: parAzFirewallDnsProxyEnabled + servers: parAzFirewallDnsServers } sku: { tier: parAzFirewallTier } + threatIntelMode: parAzFirewallIntelMode } } @@ -762,6 +791,7 @@ module modPrivateDnsZones '../privateDnsZones/privateDnsZones.bicep' = if (parPr parLocation: parLocation parTags: parTags parVirtualNetworkIdToLink: resHubVnet.id + parVirtualNetworkIdToLinkFailover: parVirtualNetworkIdToLinkFailover parPrivateDnsZones: parPrivateDnsZones parPrivateDnsZoneAutoMergeAzureBackupZone: parPrivateDnsZoneAutoMergeAzureBackupZone parTelemetryOptOut: parTelemetryOptOut diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json b/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json index 686de4b..2bad685 100644 --- a/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json +++ b/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json @@ -63,6 +63,9 @@ "parAzBastionSku": { "value": "Standard" }, + "parAzBastionTunneling": { + "value": false + }, "parAzBastionNsgName": { "value": "nsg-AzureBastionSubnet" }, @@ -84,6 +87,9 @@ "parAzFirewallTier": { "value": "Standard" }, + "parAzFirewallIntelMode": { + "value": "Alert" + }, "parAzFirewallAvailabilityZones": { "value": [] }, @@ -96,6 +102,9 @@ "parAzFirewallDnsProxyEnabled": { "value": true }, + "parAzFirewallDnsServers": { + "value": [] + }, "parHubRouteTableName": { "value": "alz-hub-routetable" }, @@ -122,6 +131,7 @@ "privatelink.azurecr.io", "privatelink.azure-devices.net", "privatelink.azure-devices-provisioning.net", + "privatelink.azuredatabricks.net", "privatelink.azurehdinsight.net", "privatelink.azurehealthcareapis.com", "privatelink.azurestaticapps.net", @@ -195,7 +205,8 @@ "asn": "65515", "bgpPeeringAddress": "", "peerWeight": "5" - } + }, + "vpnClientConfiguration": {} } }, "parExpressRouteGatewayConfig": { diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.min.json b/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.min.json index d0ea43f..fcf5450 100644 --- a/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.min.json +++ b/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.min.json @@ -54,6 +54,9 @@ "parAzFirewallTier": { "value": "Standard" }, + "parAzFirewallIntelMode": { + "value": "Alert" + }, "parAzFirewallAvailabilityZones": { "value": [] }, diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json b/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json index dd5b18b..0d0bd59 100644 --- a/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json +++ b/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.all.json @@ -63,6 +63,9 @@ "parAzBastionSku": { "value": "Standard" }, + "parAzBastionTunneling": { + "value": false + }, "parAzBastionNsgName": { "value": "nsg-AzureBastionSubnet" }, @@ -84,6 +87,9 @@ "parAzFirewallTier": { "value": "Standard" }, + "parAzFirewallIntelMode": { + "value": "Alert" + }, "parAzFirewallAvailabilityZones": { "value": [] }, @@ -96,6 +102,9 @@ "parAzFirewallDnsProxyEnabled": { "value": true }, + "parAzFirewallDnsServers": { + "value": [] + }, "parHubRouteTableName": { "value": "alz-hub-routetable" }, @@ -157,7 +166,8 @@ "asn": "65515", "bgpPeeringAddress": "", "peerWeight": "5" - } + }, + "vpnClientConfiguration": {} } }, "parExpressRouteGatewayConfig": { diff --git a/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.min.json b/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.min.json index c16d37a..fe76ea4 100644 --- a/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.min.json +++ b/dependencies/infra-as-code/bicep/modules/hubNetworking/parameters/mc-hubNetworking.parameters.min.json @@ -57,6 +57,9 @@ "parAzFirewallTier": { "value": "Standard" }, + "parAzFirewallIntelMode": { + "value": "Alert" + }, "parAzFirewallAvailabilityZones": { "value": [] }, diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index 79c1ff9..1e445db 100644 --- a/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -1,7 +1,7 @@ metadata name = 'ALZ Bicep - ALZ Default Policy Assignments' metadata description = 'This module will assign the ALZ Default Policy Assignments to the ALZ Management Group hierarchy' -@sys.description('Prefix for the management group hierarchy.') +@sys.description('Prefix used for the management group hierarchy.') @minLength(2) @maxLength(10) param parTopLevelManagementGroupPrefix string = 'alz' @@ -13,9 +13,12 @@ param parTopLevelManagementGroupSuffix string = '' @sys.description('Management, Identity and Connectivity Management Groups beneath Platform Management Group have been deployed. If set to false, platform policies are assigned to the Platform Management Group; otherwise policies are assigned to the child management groups.') param parPlatformMgAlzDefaultsEnable bool = true -@sys.description('Corp & Online Management Groups beneath Landing Zones Management Groups have been deployed. If set to false, policies will not try to be assigned to corp or onlone Management Groups.') +@sys.description('Corp & Online Management Groups beneath Landing Zones Management Groups have been deployed. If set to false, policies will not try to be assigned to corp or online Management Groups.') param parLandingZoneChildrenMgAlzDefaultsEnable bool = true +@sys.description('Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group have been deployed. If set to false, policies will not try to be assigned to Confidential Corp & Confidential Online Management Groups') +param parLandingZoneMgConfidentialEnable bool = false + @sys.description('The region where the Log Analytics Workspace & Automation Account are deployed.') param parLogAnalyticsWorkSpaceAndAutomationAccountLocation string = 'eastus' @@ -96,6 +99,7 @@ var varModuleDeploymentNames = { modPolicyAssignmentIdentDenySubnetWithoutNsg: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denySubnetNoNSG-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIdentDeployVmBackup: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployVMBackup-ident-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentMgmtDeployLogAnalytics: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployLAW-mgmt-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentMgmtEnforceGrKeyVault: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceGrKeyVault-mgmt-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsDenyIpForwarding: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyIPForward-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsDenyMgmtPortsFromInternet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyMgmtFromInet-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsDenySubnetWithoutNsg: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denySubnetNoNSG-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) @@ -113,11 +117,16 @@ var varModuleDeploymentNames = { modPolicyAssignmentLzsDeploySqlTde: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deploySQLTde-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsEnforceGrKeyVault: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceGrKeyVault-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsAuditAppGwWaf: take('${varDeploymentNameWrappers.basePrefix}-polAssi-auditAppGwWaf-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) - modPolicyAssignmentLzsDenyPublicEndpoints: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicEndpoints-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 62) - modPolicyAssignmentLzsDeployPrivateDnsZones: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployPrivateDNS-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 62) - modPolicyAssignmentLzsCorpDenyPipOnNic: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPipOnNic-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 62) - modPolicyAssignmentLzsCorpDenyHybridNet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyHybridNet-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 62) - modPolicyAssignmentLzsCorpAuditPeDnsZones: take('${varDeploymentNameWrappers.basePrefix}-polAssi-auditPeDnsZones-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 62) + modPolicyAssignmentLzsCorpDenyPublicEndpoints: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicEndpoints-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsConfidentialCorpDenyPublicEndpoints: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicEndpoints-confidential-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsCorpDeployPrivateDnsZones: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployPrivateDNS-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsConfidentialCorpDeployPrivateDnsZones: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployPrivateDNS-confidential-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsCorpDenyPipOnNic: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPipOnNic-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsConfidentialCorpDenyPipOnNic: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPipOnNic-confidential-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsCorpDenyHybridNet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyHybridNet-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsConfidentialCorpDenyHybridNet: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyHybridNet-confidential-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsCorpAuditPeDnsZones: take('${varDeploymentNameWrappers.basePrefix}-polAssi-auditPeDnsZones-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsConfidentialCorpAuditPeDnsZones: take('${varDeploymentNameWrappers.basePrefix}-polAssi-auditPeDnsZones-confidential-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentDecommEnforceAlz: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceAlz-decomm-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentSandboxEnforceAlz: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceAlz-sbox-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) } @@ -323,6 +332,10 @@ var varRbacRoleDefinitionIds = { logAnalyticsContributor: '92aaf0da-9dab-42b6-94a3-d43ce8d16293' sqlSecurityManager: '056cd41c-7e88-42e1-933e-88ba6a50c9c3' vmContributor: '9980e02c-c2be-4d73-94e8-173b1dc7cf3c' + monitoringContributor: '749f88d5-cbae-40b8-bcfc-e573ddc772fa' + aksPolicyAddon: '18ed5180-3e48-46fd-8541-4ea054d57064' + sqlDbContributor: '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec' + backupContributor: '5e467623-bb1f-42f4-a55d-6e525e11384b' } // Management Groups Variables - Used For Policy Assignments @@ -341,12 +354,13 @@ var varManagementGroupIds = { sandbox: '${parTopLevelManagementGroupPrefix}-sandbox${parTopLevelManagementGroupSuffix}' } -// Corp Management Groups - Used For Policy Assignments Restricting Public IPs var varCorpManagementGroupIds = [ varManagementGroupIds.landingZonesCorp varManagementGroupIds.landingZonesConfidentialCorp ] +var varCorpManagementGroupIdsFiltered = parLandingZoneMgConfidentialEnable ? varCorpManagementGroupIds : filter(varCorpManagementGroupIds, mg => !contains(toLower(mg), 'confidential')) + var varTopLevelManagementGroupResourceId = '/providers/Microsoft.Management/managementGroups/${varManagementGroupIds.intRoot}' // Deploy-Private-DNS-Zones Variables @@ -366,6 +380,7 @@ var varPrivateDnsZonesFinalResourceIds = { azureCosmosTablePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.table.cosmos.azure.com' azureDataFactoryPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.datafactory.azure.net' azureDataFactoryPortalPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.adf.azure.com' + azureDatabricksPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azuredatabricks.net' azureHDInsightPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.azurehdinsight.net' azureMigratePrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.prod.migration.windowsazure.com' azureStorageBlobPrivateDnsZoneId: '${varPrivateDnsZonesBaseResourceId}privatelink.blob.core.windows.net' @@ -492,7 +507,8 @@ module modPolicyAssignmentIntRootDeployAzActivityLog '../../../policy/assignment } parPolicyAssignmentIdentityType: varPolicyAssignmentDeployAzActivityLog.libDefinition.identity.type parPolicyAssignmentIdentityRoleDefinitionIds: [ - varRbacRoleDefinitionIds.owner + varRbacRoleDefinitionIds.logAnalyticsContributor + varRbacRoleDefinitionIds.monitoringContributor ] parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployAzActivityLog.libDefinition.properties.enforcementMode parTelemetryOptOut: parTelemetryOptOut @@ -533,7 +549,8 @@ module modPolicyAssignmentIntRootDeployResourceDiag '../../../policy/assignments parPolicyAssignmentIdentityType: varPolicyAssignmentDeployResourceDiag.libDefinition.identity.type parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployResourceDiag.libDefinition.properties.enforcementMode parPolicyAssignmentIdentityRoleDefinitionIds: [ - varRbacRoleDefinitionIds.owner + varRbacRoleDefinitionIds.logAnalyticsContributor + varRbacRoleDefinitionIds.monitoringContributor ] parTelemetryOptOut: parTelemetryOptOut } @@ -557,7 +574,7 @@ module modPolicyAssignmentIntRootDeployVmMonitoring '../../../policy/assignments parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMMonitoring.libDefinition.identity.type parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMMonitoring.libDefinition.properties.enforcementMode parPolicyAssignmentIdentityRoleDefinitionIds: [ - varRbacRoleDefinitionIds.owner + varRbacRoleDefinitionIds.logAnalyticsContributor ] parTelemetryOptOut: parTelemetryOptOut } @@ -581,7 +598,7 @@ module modPolicyAssignmentIntRootDeployVmssMonitoring '../../../policy/assignmen parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMSSMonitoring.libDefinition.identity.type parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMSSMonitoring.libDefinition.properties.enforcementMode parPolicyAssignmentIdentityRoleDefinitionIds: [ - varRbacRoleDefinitionIds.owner + varRbacRoleDefinitionIds.logAnalyticsContributor ] parTelemetryOptOut: parTelemetryOptOut } @@ -788,7 +805,8 @@ module modPolicyAssignmentIdentDeployVmBackup '../../../policy/assignments/polic parPolicyAssignmentIdentityType: varPolicyAssignmentDeployVMBackup.libDefinition.identity.type parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployVMBackup.libDefinition.properties.enforcementMode parPolicyAssignmentIdentityRoleDefinitionIds: [ - varRbacRoleDefinitionIds.owner + varRbacRoleDefinitionIds.backupContributor + varRbacRoleDefinitionIds.vmContributor ] parTelemetryOptOut: parTelemetryOptOut } @@ -828,12 +846,28 @@ module modPolicyAssignmentMgmtDeployLogAnalytics '../../../policy/assignments/po parPolicyAssignmentIdentityType: varPolicyAssignmentDeployLogAnalytics.libDefinition.identity.type parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployLogAnalytics.libDefinition.properties.enforcementMode parPolicyAssignmentIdentityRoleDefinitionIds: [ - varRbacRoleDefinitionIds.owner + varRbacRoleDefinitionIds.contributor ] parTelemetryOptOut: parTelemetryOptOut } } +// Module - Policy Assignment - Enforce-GR-KeyVault +module modPolicyAssignmentMgmtEnforceGrKeyVault '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceGRKeyVault.libDefinition.name)) { + scope: managementGroup(varManagementGroupIds.platformManagement) + name: varModuleDeploymentNames.modPolicyAssignmentMgmtEnforceGrKeyVault + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceGRKeyVault.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnforceGRKeyVault.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceGRKeyVault.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceGRKeyVault.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceGRKeyVault.libDefinition.properties.parameters + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceGRKeyVault.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceGRKeyVault.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + // Modules - Policy Assignments - Landing Zones Management Group // Module - Policy Assignment - Deny-IP-Forwarding module modPolicyAssignmentLzsDenyIpForwarding '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyIPForwarding.libDefinition.name)) { @@ -964,6 +998,7 @@ module modPolicyAssignmentLzsDeployAksPolicy '../../../policy/assignments/policy parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeployAKSPolicy.libDefinition.properties.enforcementMode parPolicyAssignmentIdentityRoleDefinitionIds: [ varRbacRoleDefinitionIds.aksContributor + varRbacRoleDefinitionIds.aksPolicyAddon ] parTelemetryOptOut: parTelemetryOptOut } @@ -1093,7 +1128,7 @@ module modPolicyAssignmentLzsDeploySqlTde '../../../policy/assignments/policyAss parPolicyAssignmentIdentityType: varPolicyAssignmentDeploySQLTDE.libDefinition.identity.type parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentDeploySQLTDE.libDefinition.properties.enforcementMode parPolicyAssignmentIdentityRoleDefinitionIds: [ - varRbacRoleDefinitionIds.sqlSecurityManager + varRbacRoleDefinitionIds.sqlDbContributor ] parTelemetryOptOut: parTelemetryOptOut } @@ -1133,9 +1168,9 @@ module modPolicyAssignmentLzsAuditAppGwWaf '../../../policy/assignments/policyAs // Modules - Policy Assignments - Corp Management Group // Module - Policy Assignment - Deny-Public-Endpoints -module modPolicyAssignmentLzsDenyPublicEndpoints '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = [for (mgScope, index) in varCorpManagementGroupIds: if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyPublicEndpoints.libDefinition.name) && parLandingZoneChildrenMgAlzDefaultsEnable) { +module modPolicyAssignmentLzsDenyPublicEndpoints '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = [for mgScope in varCorpManagementGroupIdsFiltered: if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyPublicEndpoints.libDefinition.name) && parLandingZoneChildrenMgAlzDefaultsEnable) { scope: managementGroup(mgScope) - name: '${varModuleDeploymentNames.modPolicyAssignmentLzsDenyPublicEndpoints}${index}' + name: contains(mgScope, 'confidential') ? varModuleDeploymentNames.modPolicyAssignmentLzsConfidentialCorpDenyPublicEndpoints : varModuleDeploymentNames.modPolicyAssignmentLzsCorpDenyPublicEndpoints params: { parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPublicEndpoints.definitionId parPolicyAssignmentName: varPolicyAssignmentDenyPublicEndpoints.libDefinition.name @@ -1149,9 +1184,9 @@ module modPolicyAssignmentLzsDenyPublicEndpoints '../../../policy/assignments/po }] // Module - Policy Assignment - Deploy-Private-DNS-Zones -module modPolicyAssignmentConnDeployPrivateDnsZones '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = [for (mgScope, index) in varCorpManagementGroupIds: if ((!empty(varPrivateDnsZonesResourceGroupSubscriptionId)) && (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployPrivateDNSZones.libDefinition.name)) && parLandingZoneChildrenMgAlzDefaultsEnable) { +module modPolicyAssignmentConnDeployPrivateDnsZones '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = [for mgScope in varCorpManagementGroupIdsFiltered: if ((!empty(varPrivateDnsZonesResourceGroupSubscriptionId)) && (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployPrivateDNSZones.libDefinition.name)) && parLandingZoneChildrenMgAlzDefaultsEnable) { scope: managementGroup(mgScope) - name: '${varModuleDeploymentNames.modPolicyAssignmentLzsDeployPrivateDnsZones}${index}' + name: contains(mgScope, 'confidential') ? varModuleDeploymentNames.modPolicyAssignmentLzsConfidentialCorpDeployPrivateDnsZones : varModuleDeploymentNames.modPolicyAssignmentLzsCorpDeployPrivateDnsZones params: { parPolicyAssignmentDefinitionId: varPolicyAssignmentDeployPrivateDNSZones.definitionId parPolicyAssignmentName: varPolicyAssignmentDeployPrivateDNSZones.libDefinition.name @@ -1189,6 +1224,9 @@ module modPolicyAssignmentConnDeployPrivateDnsZones '../../../policy/assignments azureDataFactoryPortalPrivateDnsZoneId: { value: varPrivateDnsZonesFinalResourceIds.azureDataFactoryPortalPrivateDnsZoneId } + azureDatabricksPrivateDnsZoneId: { + value: varPrivateDnsZonesFinalResourceIds.azureDatabricksPrivateDnsZoneId + } azureHDInsightPrivateDnsZoneId: { value: varPrivateDnsZonesFinalResourceIds.azureHDInsightPrivateDnsZoneId } @@ -1326,9 +1364,9 @@ module modPolicyAssignmentConnDeployPrivateDnsZones '../../../policy/assignments }] // Module - Policy Assignment - Deny-Public-IP-On-NIC -module modPolicyAssignmentLzsCorpDenyPipOnNic '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = [for (mgScope, index) in varCorpManagementGroupIds: if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyPublicIPOnNIC.libDefinition.name) && parLandingZoneChildrenMgAlzDefaultsEnable) { +module modPolicyAssignmentLzsCorpDenyPipOnNic '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = [for mgScope in varCorpManagementGroupIdsFiltered: if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyPublicIPOnNIC.libDefinition.name) && parLandingZoneChildrenMgAlzDefaultsEnable) { scope: managementGroup(mgScope) - name: '${varModuleDeploymentNames.modPolicyAssignmentLzsCorpDenyPipOnNic}${index}' + name: contains(mgScope, 'confidential') ? varModuleDeploymentNames.modPolicyAssignmentLzsConfidentialCorpDenyPipOnNic : varModuleDeploymentNames.modPolicyAssignmentLzsCorpDenyPipOnNic params: { parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyPublicIPOnNIC.definitionId parPolicyAssignmentName: varPolicyAssignmentDenyPublicIPOnNIC.libDefinition.name @@ -1342,9 +1380,9 @@ module modPolicyAssignmentLzsCorpDenyPipOnNic '../../../policy/assignments/polic }] // Module - Policy Assignment - Deny-HybridNetworking -module modPolicyAssignmentLzsCorpDenyHybridNet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = [for (mgScope, index) in varCorpManagementGroupIds: if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyHybridNetworking.libDefinition.name) && parLandingZoneChildrenMgAlzDefaultsEnable) { +module modPolicyAssignmentLzsCorpDenyHybridNet '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = [for mgScope in varCorpManagementGroupIdsFiltered: if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDenyHybridNetworking.libDefinition.name) && parLandingZoneChildrenMgAlzDefaultsEnable) { scope: managementGroup(mgScope) - name: '${varModuleDeploymentNames.modPolicyAssignmentLzsCorpDenyHybridNet}${index}' + name: contains(mgScope, 'confidential') ? varModuleDeploymentNames.modPolicyAssignmentLzsConfidentialCorpDenyHybridNet : varModuleDeploymentNames.modPolicyAssignmentLzsCorpDenyHybridNet params: { parPolicyAssignmentDefinitionId: varPolicyAssignmentDenyHybridNetworking.definitionId parPolicyAssignmentName: varPolicyAssignmentDenyHybridNetworking.libDefinition.name @@ -1358,9 +1396,9 @@ module modPolicyAssignmentLzsCorpDenyHybridNet '../../../policy/assignments/poli }] // Module - Policy Assignment - Audit-PeDnsZones -module modPolicyAssignmentLzsCorpAuditPeDnsZones '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = [for (mgScope, index) in varCorpManagementGroupIds: if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentAuditPeDnsZones.libDefinition.name) && parLandingZoneChildrenMgAlzDefaultsEnable) { +module modPolicyAssignmentLzsCorpAuditPeDnsZones '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = [for mgScope in varCorpManagementGroupIdsFiltered: if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentAuditPeDnsZones.libDefinition.name) && parLandingZoneChildrenMgAlzDefaultsEnable) { scope: managementGroup(mgScope) - name: '${varModuleDeploymentNames.modPolicyAssignmentLzsCorpAuditPeDnsZones}${index}' + name: contains(mgScope, 'confidential') ? varModuleDeploymentNames.modPolicyAssignmentLzsConfidentialCorpAuditPeDnsZones : varModuleDeploymentNames.modPolicyAssignmentLzsCorpAuditPeDnsZones params: { parPolicyAssignmentDefinitionId: varPolicyAssignmentAuditPeDnsZones.definitionId parPolicyAssignmentName: varPolicyAssignmentAuditPeDnsZones.libDefinition.name diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index 5cae91a..81f9c5f 100644 --- a/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -6,10 +6,11 @@ This module will assign the ALZ Default Policy Assignments to the ALZ Management Parameter name | Required | Description -------------- | -------- | ----------- -parTopLevelManagementGroupPrefix | No | Prefix for the management group hierarchy. +parTopLevelManagementGroupPrefix | No | Prefix used for the management group hierarchy. parTopLevelManagementGroupSuffix | No | Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix parPlatformMgAlzDefaultsEnable | No | Management, Identity and Connectivity Management Groups beneath Platform Management Group have been deployed. If set to false, platform policies are assigned to the Platform Management Group; otherwise policies are assigned to the child management groups. -parLandingZoneChildrenMgAlzDefaultsEnable | No | Corp & Online Management Groups beneath Landing Zones Management Groups have been deployed. If set to false, policies will not try to be assigned to corp or onlone Management Groups. +parLandingZoneChildrenMgAlzDefaultsEnable | No | Corp & Online Management Groups beneath Landing Zones Management Groups have been deployed. If set to false, policies will not try to be assigned to corp or online Management Groups. +parLandingZoneMgConfidentialEnable | No | Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group have been deployed. If set to false, policies will not try to be assigned to Confidential Corp & Confidential Online Management Groups parLogAnalyticsWorkSpaceAndAutomationAccountLocation | No | The region where the Log Analytics Workspace & Automation Account are deployed. parLogAnalyticsWorkspaceResourceId | No | Log Analytics Workspace Resource ID. parLogAnalyticsWorkspaceLogRetentionInDays | No | Number of days of log retention for Log Analytics Workspace. @@ -28,7 +29,7 @@ parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment t ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Prefix for the management group hierarchy. +Prefix used for the management group hierarchy. - Default value: `alz` @@ -50,10 +51,18 @@ Management, Identity and Connectivity Management Groups beneath Platform Managem ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Corp & Online Management Groups beneath Landing Zones Management Groups have been deployed. If set to false, policies will not try to be assigned to corp or onlone Management Groups. +Corp & Online Management Groups beneath Landing Zones Management Groups have been deployed. If set to false, policies will not try to be assigned to corp or online Management Groups. - Default value: `True` +### parLandingZoneMgConfidentialEnable + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group have been deployed. If set to false, policies will not try to be assigned to Confidential Corp & Confidential Online Management Groups + +- Default value: `False` + ### parLogAnalyticsWorkSpaceAndAutomationAccountLocation ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) @@ -168,6 +177,9 @@ Set Parameter to true to Opt-out of deployment telemetry "parLandingZoneChildrenMgAlzDefaultsEnable": { "value": true }, + "parLandingZoneMgConfidentialEnable": { + "value": false + }, "parLogAnalyticsWorkSpaceAndAutomationAccountLocation": { "value": "eastus" }, diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/mc-alzDefaultPolicyAssignments.bicep.md b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/mc-alzDefaultPolicyAssignments.bicep.md index 4787208..5e4d46f 100644 --- a/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/mc-alzDefaultPolicyAssignments.bicep.md +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/mc-alzDefaultPolicyAssignments.bicep.md @@ -6,7 +6,7 @@ This policy assignment will assign the ALZ Default Policy to management groups Parameter name | Required | Description -------------- | -------- | ----------- -parTopLevelManagementGroupPrefix | No | Prefix for the management group hierarchy. +parTopLevelManagementGroupPrefix | No | Prefix used for the management group hierarchy. parTopLevelManagementGroupSuffix | No | Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix parLogAnalyticsWorkSpaceAndAutomationAccountLocation | No | The region where the Log Analytics Workspace & Automation Account are deployed. parLogAnalyticsWorkspaceResourceID | No | Log Analytics Workspace Resource ID. @@ -21,7 +21,7 @@ parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment t ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Prefix for the management group hierarchy. +Prefix used for the management group hierarchy. - Default value: `alz` diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/mc-alzDefaultPolicyAssignments.bicep b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/mc-alzDefaultPolicyAssignments.bicep index 41404cf..0c75e7a 100644 --- a/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/mc-alzDefaultPolicyAssignments.bicep +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/mc-alzDefaultPolicyAssignments.bicep @@ -1,7 +1,7 @@ metadata name = 'ALZ Bicep - ALZ Default Policy Assignments' metadata description = 'This policy assignment will assign the ALZ Default Policy to management groups' -@sys.description('Prefix for the management group hierarchy.') +@sys.description('Prefix used for the management group hierarchy.') @minLength(2) @maxLength(10) param parTopLevelManagementGroupPrefix string = 'alz' diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json index d5b4e7e..29a786e 100644 --- a/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json @@ -8,6 +8,15 @@ "parTopLevelManagementGroupSuffix": { "value": "" }, + "parPlatformMgAlzDefaultsEnable": { + "value": true + }, + "parLandingZoneChildrenMgAlzDefaultsEnable": { + "value": true + }, + "parLandingZoneMgConfidentialEnable": { + "value": false + }, "parLogAnalyticsWorkSpaceAndAutomationAccountLocation": { "value": "eastus" }, diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_pednszones.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_pednszones.tmpl.json index b7b2c60..cbb6019 100644 --- a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_pednszones.tmpl.json +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_audit_pednszones.tmpl.json @@ -20,6 +20,7 @@ "privatelink.azurecr.io", "privatelink.azure-devices.net", "privatelink.azure-devices-provisioning.net", + "privatelink.azuredatabricks.net", "privatelink.azurehdinsight.net", "privatelink.azurehealthcareapis.com", "privatelink.azurestaticapps.net", diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_sku.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_sku.tmpl.json index 47c94a0..51efaeb 100644 --- a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_sku.tmpl.json +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_sku.tmpl.json @@ -3,7 +3,7 @@ "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2019-09-01", "properties": { - "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD.", + "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID.", "displayName": "Enforces the use of Premium Databricks workspaces", "notScopes": [], "parameters": { diff --git a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json index 930f9b4..63a0cd4 100644 --- a/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json +++ b/dependencies/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deploy_private_dns_zones.tmpl.json @@ -43,6 +43,9 @@ "azureDataFactoryPortalPrivateDnsZoneId": { "value": "${varPrivateDnsZonesFinalResourceIds}.azureDataFactoryPortalPrivateDnsZoneId]" }, + "azureDatabricksPrivateDnsZoneId": { + "value": "${varPrivateDnsZonesFinalResourceIds}.azureDatabricksPrivateDnsZoneId]" + }, "azureHDInsightPrivateDnsZoneId": { "value": "${varPrivateDnsZonesFinalResourceIds}.azureHDInsightPrivateDnsZoneId]" }, diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep b/dependencies/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep index 038513e..27e51d8 100644 --- a/dependencies/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep @@ -217,6 +217,14 @@ var varCustomPolicyDefinitionsArray = [ name: 'Deny-VNet-Peering' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deny-VNet-Peering.json') } + { + name: 'DenyAction-ActivityLogs' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_DenyAction-ActivityLogs.json') + } + { + name: 'DenyAction-DiagnosticLogs' + libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_DenyAction-DiagnosticLogs.json') + } { name: 'Deploy-ASC-SecurityContacts' libDefinition: loadJsonContent('lib/policy_definitions/policy_definition_es_Deploy-ASC-SecurityContacts.json') @@ -669,6 +677,24 @@ var varCustomPolicySetDefinitionsArray = [ } ] } + { + name: 'DenyAction-DeleteProtection' + libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_DenyAction-DeleteProtection.json') + libSetChildDefinitions: [ + { + definitionReferenceId: 'DenyActionDelete-ActivityLogSettings' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs' + definitionParameters: varPolicySetDefinitionEsDenyActionDeleteProtectionParameters['DenyActionDelete-ActivityLogSettings'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DenyActionDelete-DiagnosticSettings' + definitionId: '${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs' + definitionParameters: varPolicySetDefinitionEsDenyActionDeleteProtectionParameters['DenyActionDelete-DiagnosticSettings'].parameters + definitionGroups: [] + } + ] + } { name: 'Deploy-Diagnostics-LogAnalytics' libSetDefinition: loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.json') @@ -1184,9 +1210,9 @@ var varCustomPolicySetDefinitionsArray = [ definitionGroups: [] } { - definitionReferenceId: 'defenderForStorageAccounts' - definitionId: '/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3' - definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForStorageAccounts.parameters + definitionReferenceId: 'defenderForStorageAccountsV2' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390' + definitionParameters: varPolicySetDefinitionEsDeployMDFCConfigParameters.defenderForStorageAccountsV2.parameters definitionGroups: [] } { @@ -1291,6 +1317,18 @@ var varCustomPolicySetDefinitionsArray = [ definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Cosmos-Table'].parameters definitionGroups: [] } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Databrics-Browser-AuthN' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Databrics-Browser-AuthN'].parameters + definitionGroups: [] + } + { + definitionReferenceId: 'DINE-Private-DNS-Azure-Databrics-UI-Api' + definitionId: '/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c' + definitionParameters: varPolicySetDefinitionEsDeployPrivateDNSZonesParameters['DINE-Private-DNS-Azure-Databrics-UI-Api'].parameters + definitionGroups: [] + } { definitionReferenceId: 'DINE-Private-DNS-Azure-DataFactory' definitionId: '/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4' @@ -1889,6 +1927,8 @@ var varPolicySetDefinitionEsAuditUnusedResourcesCostOptimizationParameters = loa var varPolicySetDefinitionEsDenyPublicPaaSEndpointsParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deny-PublicPaaSEndpoints.parameters.json') +var varPolicySetDefinitionEsDenyActionDeleteProtectionParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_DenyAction-DeleteProtection.parameters.json') + var varPolicySetDefinitionEsDeployDiagnosticsLogAnalyticsParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-Diagnostics-LogAnalytics.parameters.json') var varPolicySetDefinitionEsDeployMDFCConfigParameters = loadJsonContent('lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.parameters.json') diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Databricks-Sku.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Databricks-Sku.json index 8e404a8..6174112 100644 --- a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Databricks-Sku.json +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Databricks-Sku.json @@ -7,7 +7,7 @@ "policyType": "Custom", "mode": "Indexed", "displayName": "Deny non-premium Databricks sku", - "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD.", + "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID.", "metadata": { "version": "1.0.0", "category": "Databricks", @@ -49,4 +49,4 @@ } } } -} \ No newline at end of file +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PrivateLinkDnsZones.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PrivateLinkDnsZones.json index 21e247a..b23924b 100644 --- a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PrivateLinkDnsZones.json +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Audit-PrivateLinkDnsZones.json @@ -9,7 +9,7 @@ "displayName": "Audit the creation of Private Link Private DNS Zones", "description": "This policy audits the creation of a Private Link Private DNS Zones in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription", "metadata": { - "version": "1.0.0", + "version": "1.0.1", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -50,6 +50,7 @@ "privatelink.azurecr.io", "privatelink.azure-devices.net", "privatelink.azure-devices-provisioning.net", + "privatelink.azuredatabricks.net", "privatelink.azurehdinsight.net", "privatelink.azurehealthcareapis.com", "privatelink.azurestaticapps.net", diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Databricks-Sku.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Databricks-Sku.json index 8e404a8..96a39f6 100644 --- a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Databricks-Sku.json +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Databricks-Sku.json @@ -7,7 +7,7 @@ "policyType": "Custom", "mode": "Indexed", "displayName": "Deny non-premium Databricks sku", - "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD.", + "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID.", "metadata": { "version": "1.0.0", "category": "Databricks", diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicNetworkAccess.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicNetworkAccess.json index c31c814..6c99bd6 100644 --- a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicNetworkAccess.json +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MachineLearning-PublicNetworkAccess.json @@ -7,12 +7,13 @@ "policyType": "Custom", "mode": "Indexed", "displayName": "[Deprecated] Azure Machine Learning should have disabled public network access", - "description": "Denies public network access for Azure Machine Learning workspaces.", + "description": "Denies public network access for Azure Machine Learning workspaces. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html", "metadata": { "version": "1.0.0-deprecated", "category": "Machine Learning", "source": "https://github.com/Azure/Enterprise-Scale/", "deprecated": true, + "supersededBy": "438c38d2-3772-465a-a9cc-7a6666a275ce", "alzCloudEnvironments": [ "AzureCloud" ] diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MgmtPorts-From-Internet.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MgmtPorts-From-Internet.json index 86e8a84..731cbbc 100644 --- a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MgmtPorts-From-Internet.json +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-MgmtPorts-From-Internet.json @@ -12,6 +12,7 @@ "version": "2.1.0", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", + "replacesPolicy": "Deny-RDP-From-Internet", "alzCloudEnvironments": [ "AzureCloud", "AzureChinaCloud", diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PostgreSql-http.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PostgreSql-http.json index fb396d6..5d2bc16 100644 --- a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PostgreSql-http.json +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PostgreSql-http.json @@ -42,8 +42,8 @@ "TLSEnforcementDisabled" ], "metadata": { - "displayName": "Select version minimum TLS for MySQL server", - "description": "Select version minimum TLS version Azure Database for MySQL server to enforce" + "displayName": "Select version minimum TLS for PostgreSQL server", + "description": "Select version minimum TLS version Azure Database for PostgreSQL server to enforce" } } }, diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicEndpoint-MariaDB.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicEndpoint-MariaDB.json index eea5b4f..a98c694 100644 --- a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicEndpoint-MariaDB.json +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicEndpoint-MariaDB.json @@ -7,12 +7,13 @@ "policyType": "Custom", "mode": "Indexed", "displayName": "[Deprecated] Public network access should be disabled for MariaDB", - "description": "This policy denies the creation of Maria DB accounts with exposed public endpoints", + "description": "This policy denies the creation of Maria DB accounts with exposed public endpoints. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/fdccbe47-f3e3-4213-ad5d-ea459b2fa077.html", "metadata": { "version": "1.0.0-deprecated", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "deprecated": true, + "supersededBy": "fdccbe47-f3e3-4213-ad5d-ea459b2fa077", "alzCloudEnvironments": [ "AzureCloud", "AzureChinaCloud", diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicIP.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicIP.json index 7c8acd8..a997d2d 100644 --- a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicIP.json +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-PublicIP.json @@ -7,9 +7,10 @@ "policyType": "Custom", "mode": "Indexed", "displayName": "[Deprecated] Deny the creation of public IP", - "description": "[Deprecated] This policy denies creation of Public IPs under the assigned scope.", + "description": "[Deprecated] This policy denies creation of Public IPs under the assigned scope. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/6c112d4e-5bc7-47ae-a041-ea2d9dccd749.html using appropriate assignment parameters.", "metadata": { "deprecated": true, + "supersededBy": "6c112d4e-5bc7-47ae-a041-ea2d9dccd749", "version": "1.0.0-deprecated", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-RDP-From-Internet.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-RDP-From-Internet.json index a4efda1..1b94399 100644 --- a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-RDP-From-Internet.json +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-RDP-From-Internet.json @@ -7,9 +7,10 @@ "policyType": "Custom", "mode": "All", "displayName": "[Deprecated] RDP access from the Internet should be blocked", - "description": "This policy denies any network security rule that allows RDP access from Internet. This policy is superceded by new custom ALZ policy 'Deny-MgmtPorts-From-Internet'.", + "description": "This policy denies any network security rule that allows RDP access from Internet. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html", "metadata": { "deprecated": true, + "supersededBy": "Deny-MgmtPorts-From-Internet", "version": "1.0.1-deprecated", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_DenyAction-ActivityLogs.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_DenyAction-ActivityLogs.json new file mode 100644 index 0000000..c097e97 --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_DenyAction-ActivityLogs.json @@ -0,0 +1,38 @@ +{ + "name": "DenyAction-ActivityLogs", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "DenyAction implementation on Activity Logs", + "description": "This is a DenyAction implementation policy on Activity Logs.", + "metadata": { + "deprecated": false, + "version": "1.0.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": {}, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Resources/subscriptions/providers/diagnosticSettings" + }, + "then": { + "effect": "denyAction", + "details": { + "actionNames": [ + "delete" + ] + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_DenyAction-DiagnosticLogs.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_DenyAction-DiagnosticLogs.json new file mode 100644 index 0000000..a33f10c --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_DenyAction-DiagnosticLogs.json @@ -0,0 +1,38 @@ +{ + "name": "DenyAction-DiagnosticLogs", + "type": "Microsoft.Authorization/policyDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "mode": "Indexed", + "displayName": "DenyAction implementation on Diagnostic Logs.", + "description": "DenyAction implementation on Diagnostic Logs.", + "metadata": { + "deprecated": false, + "version": "1.0.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": {}, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Insights/diagnosticSettings" + }, + "then": { + "effect": "denyAction", + "details": { + "actionNames": [ + "delete" + ] + } + } + } + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CosmosDB.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CosmosDB.json index 7979a23..0c5e86c 100644 --- a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CosmosDB.json +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Diagnostics-CosmosDB.json @@ -9,7 +9,7 @@ "displayName": "Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace", "description": "Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -181,6 +181,10 @@ { "category": "GremlinRequests", "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "TableApiRequests", + "enabled": "[parameters('logsEnabled')]" } ] } diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MySQL-sslEnforcement.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MySQL-sslEnforcement.json index 7e7290e..3dca742 100644 --- a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MySQL-sslEnforcement.json +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-MySQL-sslEnforcement.json @@ -9,7 +9,7 @@ "displayName": "Azure Database for MySQL server deploy a specific min TLS version and enforce SSL.", "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -84,7 +84,7 @@ ] }, "roleDefinitionIds": [ - "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" ], "deployment": { "properties": { diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs-to-LA.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs-to-LA.json index 055961f..d78dde1 100644 --- a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs-to-LA.json +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs-to-LA.json @@ -7,9 +7,10 @@ "policyType": "Custom", "mode": "Indexed", "displayName": "[Deprecated] Deploys NSG flow logs and traffic analytics to Log Analytics", - "description": "[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to Log Analytics with a specified retention period.", + "description": "[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to Log Analytics with a specified retention period. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html", "metadata": { "deprecated": true, + "supersededBy": "e920df7f-9a64-4066-9b58-52684c02a091", "version": "1.1.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs.json index 2a504dd..347fd2d 100644 --- a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs.json +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Nsg-FlowLogs.json @@ -7,9 +7,10 @@ "policyType": "Custom", "mode": "Indexed", "displayName": "[Deprecated] Deploys NSG flow logs and traffic analytics", - "description": "[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to a storageaccountid with a specified retention period.", + "description": "[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to a storageaccountid with a specified retention period. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html", "metadata": { "deprecated": true, + "supersededBy": "e920df7f-9a64-4066-9b58-52684c02a091", "version": "1.0.0-deprecated", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-PostgreSQL-sslEnforcement.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-PostgreSQL-sslEnforcement.json index d644cc2..3cf45b5 100644 --- a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-PostgreSQL-sslEnforcement.json +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-PostgreSQL-sslEnforcement.json @@ -9,7 +9,7 @@ "displayName": "Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL ", "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -85,7 +85,7 @@ }, "name": "current", "roleDefinitionIds": [ - "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" ], "deployment": { "properties": { diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SQL-minTLS.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SQL-minTLS.json index 07fa3ff..48909e0 100644 --- a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SQL-minTLS.json +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SQL-minTLS.json @@ -9,7 +9,7 @@ "displayName": "SQL servers deploys a specific min TLS version requirement.", "description": "Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -72,7 +72,7 @@ }, "name": "current", "roleDefinitionIds": [ - "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + "/providers/microsoft.authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437" ], "deployment": { "properties": { diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-Tde.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-Tde.json index 8415c4f..cf6bcde 100644 --- a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-Tde.json +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Sql-Tde.json @@ -10,6 +10,7 @@ "description": "Deploy the Transparent Data Encryption when it is not enabled in the deployment. Please use this policy instead https://www.azadvertizer.net/azpolicyadvertizer/86a912f6-9a06-4e26-b447-11b16ba8659f.html", "metadata": { "deprecated": true, + "supersededBy": "86a912f6-9a06-4e26-b447-11b16ba8659f", "version": "1.1.1-deprecated", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SqlMi-minTLS.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SqlMi-minTLS.json index 237c536..a2e4c61 100644 --- a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SqlMi-minTLS.json +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-SqlMi-minTLS.json @@ -9,7 +9,7 @@ "displayName": "SQL managed instances deploy a specific min TLS version requirement.", "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.0.0", + "version": "1.2.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -62,6 +62,7 @@ "effect": "[parameters('effect')]", "details": { "type": "Microsoft.Sql/managedInstances", + "evaluationDelay": "AfterProvisioningSuccess", "existenceCondition": { "allOf": [ { @@ -72,7 +73,7 @@ }, "name": "current", "roleDefinitionIds": [ - "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + "/providers/microsoft.authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d" ], "deployment": { "properties": { diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Storage-sslEnforcement.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Storage-sslEnforcement.json index 8835ff5..6e0531a 100644 --- a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Storage-sslEnforcement.json +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deploy-Storage-sslEnforcement.json @@ -9,7 +9,7 @@ "displayName": "Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS ", "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Storage", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -84,7 +84,7 @@ }, "name": "current", "roleDefinitionIds": [ - "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + "/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab" ], "deployment": { "properties": { diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_DenyAction-DeleteProtection.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_DenyAction-DeleteProtection.json new file mode 100644 index 0000000..b19006e --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_DenyAction-DeleteProtection.json @@ -0,0 +1,37 @@ +{ + "name": "DenyAction-DeleteProtection", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "DenyAction Delete - Activity Log Settings and Diagnostic Settings", + "description": "Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": {}, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "DenyActionDelete-DiagnosticSettings", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs", + "parameters": {}, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DenyActionDelete-ActivityLogSettings", + "policyDefinitionId": "${varTargetManagementGroupResourceId}/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs", + "parameters": {}, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_DenyAction-DeleteProtection.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_DenyAction-DeleteProtection.parameters.json new file mode 100644 index 0000000..3c9ca1d --- /dev/null +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_DenyAction-DeleteProtection.parameters.json @@ -0,0 +1,8 @@ +{ + "DenyActionDelete-ActivityLogSettings": { + "parameters": {} + }, + "DenyActionDelete-DiagnosticSettings": { + "parameters": {} + } +} diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.json index b3c5877..f3c056f 100644 --- a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.json +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.json @@ -8,7 +8,7 @@ "displayName": "Deploy Microsoft Defender for Cloud configuration", "description": "Deploy Microsoft Defender for Cloud configuration", "metadata": { - "version": "5.0.1", + "version": "6.0.1", "category": "Security Center", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -294,8 +294,8 @@ "groupNames": [] }, { - "policyDefinitionReferenceId": "defenderForStorageAccounts", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3", + "policyDefinitionReferenceId": "defenderForStorageAccountsV2", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390", "parameters": { "effect": { "value": "[[parameters('enableAscForStorage')]" diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.parameters.json index b872085..38f85e2 100644 --- a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.parameters.json +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-MDFC-Config.parameters.json @@ -106,7 +106,7 @@ } } }, - "defenderForStorageAccounts": { + "defenderForStorageAccountsV2": { "parameters": { "effect": { "value": "[[parameters('enableAscForStorage')]" diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.json index d6cffb1..d633aa9 100644 --- a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.json +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.json @@ -8,7 +8,7 @@ "displayName": "Configure Azure PaaS services to use private DNS zones", "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones", "metadata": { - "version": "1.1.0", + "version": "2.1.1", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -106,6 +106,15 @@ "description": "Private DNS Zone Identifier" } }, + "azureDatabricksPrivateDnsZoneId": { + "type": "string", + "defaultValue": "", + "metadata": { + "displayName": "azureDatabricksPrivateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones", + "description": "Private DNS Zone Identifier" + } + }, "azureHDInsightPrivateDnsZoneId": { "type": "string", "defaultValue": "", @@ -506,7 +515,7 @@ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475", "parameters": { "privateDnsZoneId": { - "value": "[[parameters('azureFileprivateDnsZoneId')]" + "value": "[[parameters('azureFilePrivateDnsZoneId')]" }, "effect": { "value": "[[parameters('effect')]" @@ -662,6 +671,38 @@ }, "groupNames": [] }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Databrics-UI-Api", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureDatabricksPrivateDnsZoneId')]" + }, + "groupId": { + "value": "databricks_ui_api" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Databrics-Browser-AuthN", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c", + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureDatabricksPrivateDnsZoneId')]" + }, + "groupId": { + "value": "browser_authentication" + }, + "effect": { + "value": "[[parameters('effect')]" + } + }, + "groupNames": [] + }, { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-HDInsight", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11", diff --git a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.parameters.json b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.parameters.json index 4a5f653..ea78797 100644 --- a/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.parameters.json +++ b/dependencies/infra-as-code/bicep/modules/policy/definitions/lib/policy_set_definitions/policy_set_definition_es_Deploy-Private-DNS-Zones.parameters.json @@ -150,6 +150,32 @@ } } }, + "DINE-Private-DNS-Azure-Databrics-Browser-AuthN": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureDatabricksPrivateDnsZoneId')]" + }, + "groupId": { + "value": "browser_authentication" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, + "DINE-Private-DNS-Azure-Databrics-UI-Api": { + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('azureDatabricksPrivateDnsZoneId')]" + }, + "groupId": { + "value": "databricks_ui_api" + }, + "effect": { + "value": "[[parameters('effect')]" + } + } + }, "DINE-Private-DNS-Azure-DataFactory": { "parameters": { "privateDnsZoneId": { @@ -223,7 +249,7 @@ "DINE-Private-DNS-Azure-File-Sync": { "parameters": { "privateDnsZoneId": { - "value": "[[parameters('azureFileprivateDnsZoneId')]" + "value": "[[parameters('azureFilePrivateDnsZoneId')]" }, "effect": { "value": "[[parameters('effect')]" diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZones/generateddocs/privateDnsZones.bicep.md b/dependencies/infra-as-code/bicep/modules/privateDnsZones/generateddocs/privateDnsZones.bicep.md index 2eae1b5..19094cf 100644 --- a/dependencies/infra-as-code/bicep/modules/privateDnsZones/generateddocs/privateDnsZones.bicep.md +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZones/generateddocs/privateDnsZones.bicep.md @@ -11,6 +11,7 @@ parPrivateDnsZones | No | Array of custom DNS Zones to provision in Hub Vi parPrivateDnsZoneAutoMergeAzureBackupZone | No | Set Parameter to false to skip the addition of a Private DNS Zone for Azure Backup. parTags | No | Tags you would like to be applied to all resources in this module. parVirtualNetworkIdToLink | No | Resource ID of VNet for Private DNS Zone VNet Links. +parVirtualNetworkIdToLinkFailover | No | Resource ID of VNet for Failover Private DNS Zone VNet Links. parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. ### parLocation @@ -27,7 +28,7 @@ The Azure Region to deploy the resources into. Array of custom DNS Zones to provision in Hub Virtual Network. -- Default value: `[format('privatelink.{0}.azmk8s.io', toLower(parameters('parLocation')))] [format('privatelink.{0}.batch.azure.com', toLower(parameters('parLocation')))] [format('privatelink.{0}.kusto.windows.net', toLower(parameters('parLocation')))] privatelink.adf.azure.com privatelink.afs.azure.net privatelink.agentsvc.azure-automation.net privatelink.analysis.windows.net privatelink.api.azureml.ms privatelink.azconfig.io privatelink.azure-api.net privatelink.azure-automation.net privatelink.azurecr.io privatelink.azure-devices.net privatelink.azure-devices-provisioning.net privatelink.azurehdinsight.net privatelink.azurehealthcareapis.com privatelink.azurestaticapps.net privatelink.azuresynapse.net privatelink.azurewebsites.net privatelink.batch.azure.com privatelink.blob.core.windows.net privatelink.cassandra.cosmos.azure.com privatelink.cognitiveservices.azure.com privatelink.database.windows.net privatelink.datafactory.azure.net privatelink.dev.azuresynapse.net privatelink.dfs.core.windows.net privatelink.dicom.azurehealthcareapis.com privatelink.digitaltwins.azure.net privatelink.directline.botframework.com privatelink.documents.azure.com privatelink.eventgrid.azure.net privatelink.file.core.windows.net privatelink.gremlin.cosmos.azure.com privatelink.guestconfiguration.azure.com privatelink.his.arc.azure.com privatelink.kubernetesconfiguration.azure.com privatelink.managedhsm.azure.net privatelink.mariadb.database.azure.com privatelink.media.azure.net privatelink.mongo.cosmos.azure.com privatelink.monitor.azure.com privatelink.mysql.database.azure.com privatelink.notebooks.azure.net privatelink.ods.opinsights.azure.com privatelink.oms.opinsights.azure.com privatelink.pbidedicated.windows.net privatelink.postgres.database.azure.com privatelink.prod.migration.windowsazure.com privatelink.purview.azure.com privatelink.purviewstudio.azure.com privatelink.queue.core.windows.net privatelink.redis.cache.windows.net privatelink.redisenterprise.cache.azure.net privatelink.search.windows.net privatelink.service.signalr.net privatelink.servicebus.windows.net privatelink.siterecovery.windowsazure.com privatelink.sql.azuresynapse.net privatelink.table.core.windows.net privatelink.table.cosmos.azure.com privatelink.tip1.powerquery.microsoft.com privatelink.token.botframework.com privatelink.vaultcore.azure.net privatelink.web.core.windows.net privatelink.webpubsub.azure.com` +- Default value: `[format('privatelink.{0}.azmk8s.io', toLower(parameters('parLocation')))] [format('privatelink.{0}.batch.azure.com', toLower(parameters('parLocation')))] [format('privatelink.{0}.kusto.windows.net', toLower(parameters('parLocation')))] privatelink.adf.azure.com privatelink.afs.azure.net privatelink.agentsvc.azure-automation.net privatelink.analysis.windows.net privatelink.api.azureml.ms privatelink.azconfig.io privatelink.azure-api.net privatelink.azure-automation.net privatelink.azurecr.io privatelink.azure-devices.net privatelink.azure-devices-provisioning.net privatelink.azuredatabricks.net privatelink.azurehdinsight.net privatelink.azurehealthcareapis.com privatelink.azurestaticapps.net privatelink.azuresynapse.net privatelink.azurewebsites.net privatelink.batch.azure.com privatelink.blob.core.windows.net privatelink.cassandra.cosmos.azure.com privatelink.cognitiveservices.azure.com privatelink.database.windows.net privatelink.datafactory.azure.net privatelink.dev.azuresynapse.net privatelink.dfs.core.windows.net privatelink.dicom.azurehealthcareapis.com privatelink.digitaltwins.azure.net privatelink.directline.botframework.com privatelink.documents.azure.com privatelink.eventgrid.azure.net privatelink.file.core.windows.net privatelink.gremlin.cosmos.azure.com privatelink.guestconfiguration.azure.com privatelink.his.arc.azure.com privatelink.kubernetesconfiguration.azure.com privatelink.managedhsm.azure.net privatelink.mariadb.database.azure.com privatelink.media.azure.net privatelink.mongo.cosmos.azure.com privatelink.monitor.azure.com privatelink.mysql.database.azure.com privatelink.notebooks.azure.net privatelink.ods.opinsights.azure.com privatelink.oms.opinsights.azure.com privatelink.pbidedicated.windows.net privatelink.postgres.database.azure.com privatelink.prod.migration.windowsazure.com privatelink.purview.azure.com privatelink.purviewstudio.azure.com privatelink.queue.core.windows.net privatelink.redis.cache.windows.net privatelink.redisenterprise.cache.azure.net privatelink.search.windows.net privatelink.service.signalr.net privatelink.servicebus.windows.net privatelink.siterecovery.windowsazure.com privatelink.sql.azuresynapse.net privatelink.table.core.windows.net privatelink.table.cosmos.azure.com privatelink.tip1.powerquery.microsoft.com privatelink.token.botframework.com privatelink.vaultcore.azure.net privatelink.web.core.windows.net privatelink.webpubsub.azure.com` ### parPrivateDnsZoneAutoMergeAzureBackupZone @@ -49,6 +50,12 @@ Tags you would like to be applied to all resources in this module. Resource ID of VNet for Private DNS Zone VNet Links. +### parVirtualNetworkIdToLinkFailover + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Resource ID of VNet for Failover Private DNS Zone VNet Links. + ### parTelemetryOptOut ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) @@ -95,6 +102,7 @@ outPrivateDnsZonesNames | array | "privatelink.azurecr.io", "privatelink.azure-devices.net", "privatelink.azure-devices-provisioning.net", + "privatelink.azuredatabricks.net", "privatelink.azurehdinsight.net", "privatelink.azurehealthcareapis.com", "privatelink.azurestaticapps.net", @@ -158,6 +166,9 @@ outPrivateDnsZonesNames | array | "parVirtualNetworkIdToLink": { "value": "" }, + "parVirtualNetworkIdToLinkFailover": { + "value": "" + }, "parTelemetryOptOut": { "value": false } diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.all.json b/dependencies/infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.all.json index ac87cc7..6115ea9 100644 --- a/dependencies/infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.all.json +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.all.json @@ -22,6 +22,7 @@ "privatelink.azurecr.io", "privatelink.azure-devices.net", "privatelink.azure-devices-provisioning.net", + "privatelink.azuredatabricks.net", "privatelink.azurehdinsight.net", "privatelink.azurehealthcareapis.com", "privatelink.azurestaticapps.net", @@ -87,6 +88,9 @@ "parVirtualNetworkIdToLink": { "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxxxxxx/providers/Microsoft.Network/virtualNetworks/xxxxxxxxxxx" }, + "parVirtualNetworkIdToLinkFailover": { + "value": "" + }, "parTelemetryOptOut": { "value": false } diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.min.json b/dependencies/infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.min.json index 3f3a463..fcad595 100644 --- a/dependencies/infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.min.json +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZones/parameters/privateDnsZones.parameters.min.json @@ -19,6 +19,7 @@ "privatelink.azurecr.io", "privatelink.azure-devices.net", "privatelink.azure-devices-provisioning.net", + "privatelink.azuredatabricks.net", "privatelink.azurehdinsight.net", "privatelink.azurehealthcareapis.com", "privatelink.azurestaticapps.net", diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep b/dependencies/infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep index f5590be..5f4c661 100644 --- a/dependencies/infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZones/privateDnsZones.bicep @@ -20,6 +20,7 @@ param parPrivateDnsZones array = [ 'privatelink.azurecr.io' 'privatelink.azure-devices.net' 'privatelink.azure-devices-provisioning.net' + 'privatelink.azuredatabricks.net' 'privatelink.azurehdinsight.net' 'privatelink.azurehealthcareapis.com' 'privatelink.azurestaticapps.net' @@ -83,6 +84,9 @@ param parTags object = {} @sys.description('Resource ID of VNet for Private DNS Zone VNet Links.') param parVirtualNetworkIdToLink string = '' +@sys.description('Resource ID of VNet for Failover Private DNS Zone VNet Links.') +param parVirtualNetworkIdToLinkFailover string = '' + @sys.description('Set Parameter to true to Opt-out of deployment telemetry.') param parTelemetryOptOut bool = false @@ -180,6 +184,18 @@ resource resVirtualNetworkLink 'Microsoft.Network/privateDnsZones/virtualNetwork dependsOn: resPrivateDnsZones }] +resource resVirtualNetworkLinkFailover 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = [for privateDnsZoneName in varPrivateDnsZonesMerge: if (!empty(parVirtualNetworkIdToLinkFailover)) { + name: '${privateDnsZoneName}/${take('fallbacklink-${uniqueString(parVirtualNetworkIdToLinkFailover)}', 80)}' + location: 'global' + properties: { + registrationEnabled: false + virtualNetwork: { + id: parVirtualNetworkIdToLinkFailover + } + } + dependsOn: resPrivateDnsZones +}] + module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdResourceGroup.bicep' = if (!parTelemetryOptOut) { #disable-next-line no-loc-expr-outside-params name: 'pid-${varCuaid}-${uniqueString(resourceGroup().location)}' @@ -191,4 +207,4 @@ output outPrivateDnsZones array = [for i in range(0, length(varPrivateDnsZonesMe id: resPrivateDnsZones[i].id }] -output outPrivateDnsZonesNames array = [for i in range(0, length(varPrivateDnsZonesMerge)): resPrivateDnsZones[i].name ] +output outPrivateDnsZonesNames array = [for i in range(0, length(varPrivateDnsZonesMerge)): resPrivateDnsZones[i].name] diff --git a/dependencies/infra-as-code/bicep/modules/privateDnsZones/samples/baseline.sample.bicep b/dependencies/infra-as-code/bicep/modules/privateDnsZones/samples/baseline.sample.bicep index 08e585c..b023f80 100644 --- a/dependencies/infra-as-code/bicep/modules/privateDnsZones/samples/baseline.sample.bicep +++ b/dependencies/infra-as-code/bicep/modules/privateDnsZones/samples/baseline.sample.bicep @@ -35,6 +35,7 @@ module baseline_private_dns '../privateDnsZones.bicep' = { 'privatelink.azurecr.io' 'privatelink.azure-devices.net' 'privatelink.azure-devices-provisioning.net' + 'privatelink.azuredatabricks.net' 'privatelink.azurehdinsight.net' 'privatelink.azurehealthcareapis.com' 'privatelink.azurestaticapps.net' diff --git a/dependencies/infra-as-code/bicep/modules/roleAssignments/README.md b/dependencies/infra-as-code/bicep/modules/roleAssignments/README.md index e2419c3..b110d30 100644 --- a/dependencies/infra-as-code/bicep/modules/roleAssignments/README.md +++ b/dependencies/infra-as-code/bicep/modules/roleAssignments/README.md @@ -31,18 +31,18 @@ All templates require an input for `parAssigneeObjectId` and this value is depen az identity show --resource-group --name --query 'principalId' # Identify Object Id for Service Principal (App Registration) -# Require read permission to query Azure Active Directory +# Require read permission to query Microsoft Entra # Example: az ad sp show --id c705dc53-7c95-42bc-b1d5-75e172571370 --query id az ad sp show --id --query id # Identify Object Id for Service Principal (App Registration) -# Require read permission to query Azure Active Directory +# Require read permission to query Microsoft Entra # Beware of duplicates, since app registation names are not unique. # Example: az ad sp list --filter "displayName eq ''" --query '[].{name:appDisplayName, objectId:id}' az ad sp list --filter "displayName eq ''" --query '[].{name:appDisplayName, objectId:id}' # Identify Object Id for Security Group -# Require read permission to query Azure Active Directory +# Require read permission to query Microsoft Entra # Example: az ad group show --group SG_ALZ_SECURITY --query id az ad group show --group --query id ``` @@ -55,12 +55,12 @@ az ad group show --group --query id (Get-AzADServicePrincipal -DisplayName '').Id # Identify Object Id for Service Principal (App Registration) -# Require read permission to query Azure Active Directory +# Require read permission to query Microsoft Entra # Example: (Get-AzADServicePrincipal -DisplayName 'Azure Landing Zone SPN').Id (Get-AzADServicePrincipal -DisplayName '').Id # Identify Object Id for Security Group -# Require read permission to query Azure Active Directory +# Require read permission to query Microsoft Entra # Example: Get-AzureADGroup -SearchString 'SG_ALZ_SECURITY' Connect-AzureAD (Get-AzureADGroup -SearchString '').ObjectId diff --git a/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep b/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep index 05afee5..d75174d 100644 --- a/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep +++ b/dependencies/infra-as-code/bicep/modules/subscriptionPlacement/subscriptionPlacement.bicep @@ -15,7 +15,7 @@ param parTelemetryOptOut bool = false // Customer Usage Attribution Id var varCuaid = '3dfa9e81-f0cf-4b25-858e-167937fd380b' -resource resSubscriptionPlacement 'Microsoft.Management/managementGroups/subscriptions@2023-04-01' = [for subscriptionId in parSubscriptionIds: { +resource resSubscriptionPlacement 'Microsoft.Management/managementGroups/subscriptions@2021-04-01' = [for subscriptionId in parSubscriptionIds: { scope: tenant() name: '${parTargetManagementGroupId}/${subscriptionId}' }] diff --git a/dependencies/infra-as-code/bicep/modules/vwanConnectivity/generateddocs/vwanConnectivity.bicep.md b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/generateddocs/vwanConnectivity.bicep.md index 08a1a9e..c86a03b 100644 --- a/dependencies/infra-as-code/bicep/modules/vwanConnectivity/generateddocs/vwanConnectivity.bicep.md +++ b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/generateddocs/vwanConnectivity.bicep.md @@ -9,8 +9,10 @@ Parameter name | Required | Description parLocation | No | Region in which the resource group was created. parCompanyPrefix | No | Prefix value which will be prepended to all resource names. parAzFirewallTier | No | Azure Firewall Tier associated with the Firewall to deploy. +parAzFirewallIntelMode | No | The Azure Firewall Threat Intelligence Mode. If not set, the default value is Alert. parVirtualHubEnabled | No | Switch to enable/disable Virtual Hub deployment. parAzFirewallDnsProxyEnabled | No | Switch to enable/disable Azure Firewall DNS Proxy. +parAzFirewallDnsServers | No | Array of custom DNS servers used by Azure Firewall parVirtualWanName | No | Prefix Used for Virtual WAN. parVirtualWanHubName | No | Prefix Used for Virtual WAN Hub. parVirtualWanHubs | No | Array Used for multiple Virtual WAN Hubs deployment. Each object in the array represents an individual Virtual WAN Hub configuration. Add/remove additional objects in the array to meet the number of Virtual WAN Hubs required. - `parVpnGatewayEnabled` - Switch to enable/disable VPN Gateway deployment on the respective Virtual WAN Hub. - `parExpressRouteGatewayEnabled` - Switch to enable/disable ExpressRoute Gateway deployment on the respective Virtual WAN Hub. - `parAzFirewallEnabled` - Switch to enable/disable Azure Firewall deployment on the respective Virtual WAN Hub. - `parVirtualHubAddressPrefix` - The IP address range in CIDR notation for the vWAN virtual Hub to use. - `parHubLocation` - The Virtual WAN Hub location. - `parHubRoutingPreference` - The Virtual WAN Hub routing preference. The allowed values are `ASN`, `VpnGateway`, `ExpressRoute`. - `parVirtualRouterAutoScaleConfiguration` - The Virtual WAN Hub capacity. The value should be between 2 to 50. - `parVirtualHubRoutingIntentDestinations` - The Virtual WAN Hub routing intent destinations, leave empty if not wanting to enable routing intent. The allowed values are `Internet`, `PrivateTraffic`. @@ -28,6 +30,7 @@ parPrivateDnsZonesResourceGroup | No | Resource Group Name for Private DNS parPrivateDnsZones | No | Array of DNS Zones to provision in Hub Virtual Network. parPrivateDnsZoneAutoMergeAzureBackupZone | No | Set Parameter to false to skip the addition of a Private DNS Zone for Azure Backup. parVirtualNetworkIdToLink | No | Resource ID of VNet for Private DNS Zone VNet Links +parVirtualNetworkIdToLinkFailover | No | Resource ID of Failover VNet for Private DNS Zone VNet Failover Links parTags | No | Tags you would like to be applied to all resources in this module. parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry @@ -57,6 +60,16 @@ Azure Firewall Tier associated with the Firewall to deploy. - Allowed values: `Basic`, `Standard`, `Premium` +### parAzFirewallIntelMode + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +The Azure Firewall Threat Intelligence Mode. If not set, the default value is Alert. + +- Default value: `Alert` + +- Allowed values: `Alert`, `Deny`, `Off` + ### parVirtualHubEnabled ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) @@ -73,6 +86,12 @@ Switch to enable/disable Azure Firewall DNS Proxy. - Default value: `True` +### parAzFirewallDnsServers + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Array of custom DNS servers used by Azure Firewall + ### parVirtualWanName ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) @@ -200,7 +219,7 @@ Resource Group Name for Private DNS Zones. Array of DNS Zones to provision in Hub Virtual Network. -- Default value: `[format('privatelink.{0}.azmk8s.io', toLower(parameters('parLocation')))] [format('privatelink.{0}.batch.azure.com', toLower(parameters('parLocation')))] [format('privatelink.{0}.kusto.windows.net', toLower(parameters('parLocation')))] privatelink.adf.azure.com privatelink.afs.azure.net privatelink.agentsvc.azure-automation.net privatelink.analysis.windows.net privatelink.api.azureml.ms privatelink.azconfig.io privatelink.azure-api.net privatelink.azure-automation.net privatelink.azurecr.io privatelink.azure-devices.net privatelink.azure-devices-provisioning.net privatelink.azurehdinsight.net privatelink.azurehealthcareapis.com privatelink.azurestaticapps.net privatelink.azuresynapse.net privatelink.azurewebsites.net privatelink.batch.azure.com privatelink.blob.core.windows.net privatelink.cassandra.cosmos.azure.com privatelink.cognitiveservices.azure.com privatelink.database.windows.net privatelink.datafactory.azure.net privatelink.dev.azuresynapse.net privatelink.dfs.core.windows.net privatelink.dicom.azurehealthcareapis.com privatelink.digitaltwins.azure.net privatelink.directline.botframework.com privatelink.documents.azure.com privatelink.eventgrid.azure.net privatelink.file.core.windows.net privatelink.gremlin.cosmos.azure.com privatelink.guestconfiguration.azure.com privatelink.his.arc.azure.com privatelink.kubernetesconfiguration.azure.com privatelink.managedhsm.azure.net privatelink.mariadb.database.azure.com privatelink.media.azure.net privatelink.mongo.cosmos.azure.com privatelink.monitor.azure.com privatelink.mysql.database.azure.com privatelink.notebooks.azure.net privatelink.ods.opinsights.azure.com privatelink.oms.opinsights.azure.com privatelink.pbidedicated.windows.net privatelink.postgres.database.azure.com privatelink.prod.migration.windowsazure.com privatelink.purview.azure.com privatelink.purviewstudio.azure.com privatelink.queue.core.windows.net privatelink.redis.cache.windows.net privatelink.redisenterprise.cache.azure.net privatelink.search.windows.net privatelink.service.signalr.net privatelink.servicebus.windows.net privatelink.siterecovery.windowsazure.com privatelink.sql.azuresynapse.net privatelink.table.core.windows.net privatelink.table.cosmos.azure.com privatelink.tip1.powerquery.microsoft.com privatelink.token.botframework.com privatelink.vaultcore.azure.net privatelink.web.core.windows.net privatelink.webpubsub.azure.com` +- Default value: `[format('privatelink.{0}.azmk8s.io', toLower(parameters('parLocation')))] [format('privatelink.{0}.batch.azure.com', toLower(parameters('parLocation')))] [format('privatelink.{0}.kusto.windows.net', toLower(parameters('parLocation')))] privatelink.adf.azure.com privatelink.afs.azure.net privatelink.agentsvc.azure-automation.net privatelink.analysis.windows.net privatelink.api.azureml.ms privatelink.azconfig.io privatelink.azure-api.net privatelink.azure-automation.net privatelink.azurecr.io privatelink.azure-devices.net privatelink.azure-devices-provisioning.net privatelink.azuredatabricks.net privatelink.azurehdinsight.net privatelink.azurehealthcareapis.com privatelink.azurestaticapps.net privatelink.azuresynapse.net privatelink.azurewebsites.net privatelink.batch.azure.com privatelink.blob.core.windows.net privatelink.cassandra.cosmos.azure.com privatelink.cognitiveservices.azure.com privatelink.database.windows.net privatelink.datafactory.azure.net privatelink.dev.azuresynapse.net privatelink.dfs.core.windows.net privatelink.dicom.azurehealthcareapis.com privatelink.digitaltwins.azure.net privatelink.directline.botframework.com privatelink.documents.azure.com privatelink.eventgrid.azure.net privatelink.file.core.windows.net privatelink.gremlin.cosmos.azure.com privatelink.guestconfiguration.azure.com privatelink.his.arc.azure.com privatelink.kubernetesconfiguration.azure.com privatelink.managedhsm.azure.net privatelink.mariadb.database.azure.com privatelink.media.azure.net privatelink.mongo.cosmos.azure.com privatelink.monitor.azure.com privatelink.mysql.database.azure.com privatelink.notebooks.azure.net privatelink.ods.opinsights.azure.com privatelink.oms.opinsights.azure.com privatelink.pbidedicated.windows.net privatelink.postgres.database.azure.com privatelink.prod.migration.windowsazure.com privatelink.purview.azure.com privatelink.purviewstudio.azure.com privatelink.queue.core.windows.net privatelink.redis.cache.windows.net privatelink.redisenterprise.cache.azure.net privatelink.search.windows.net privatelink.service.signalr.net privatelink.servicebus.windows.net privatelink.siterecovery.windowsazure.com privatelink.sql.azuresynapse.net privatelink.table.core.windows.net privatelink.table.cosmos.azure.com privatelink.tip1.powerquery.microsoft.com privatelink.token.botframework.com privatelink.vaultcore.azure.net privatelink.web.core.windows.net privatelink.webpubsub.azure.com` ### parPrivateDnsZoneAutoMergeAzureBackupZone @@ -216,6 +235,12 @@ Set Parameter to false to skip the addition of a Private DNS Zone for Azure Back Resource ID of VNet for Private DNS Zone VNet Links +### parVirtualNetworkIdToLinkFailover + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Resource ID of Failover VNet for Private DNS Zone VNet Failover Links + ### parTags ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) @@ -241,6 +266,7 @@ outVirtualHubId | array | outDdosPlanResourceId | string | outPrivateDnsZones | array | outPrivateDnsZonesNames | array | +outAzFwPrivateIps | array | ## Snippets @@ -263,12 +289,18 @@ outPrivateDnsZonesNames | array | "parAzFirewallTier": { "value": "Standard" }, + "parAzFirewallIntelMode": { + "value": "Alert" + }, "parVirtualHubEnabled": { "value": true }, "parAzFirewallDnsProxyEnabled": { "value": true }, + "parAzFirewallDnsServers": { + "value": [] + }, "parVirtualWanName": { "value": "[format('{0}-vwan-{1}', parameters('parCompanyPrefix'), parameters('parLocation'))]" }, @@ -338,6 +370,7 @@ outPrivateDnsZonesNames | array | "privatelink.azurecr.io", "privatelink.azure-devices.net", "privatelink.azure-devices-provisioning.net", + "privatelink.azuredatabricks.net", "privatelink.azurehdinsight.net", "privatelink.azurehealthcareapis.com", "privatelink.azurestaticapps.net", @@ -398,6 +431,9 @@ outPrivateDnsZonesNames | array | "parVirtualNetworkIdToLink": { "value": "" }, + "parVirtualNetworkIdToLinkFailover": { + "value": "" + }, "parTags": { "value": {} }, diff --git a/dependencies/infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.all.json b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.all.json index 72c6d09..d61076f 100644 --- a/dependencies/infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.all.json +++ b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.all.json @@ -11,12 +11,18 @@ "parAzFirewallTier": { "value": "Standard" }, + "parAzFirewallIntelMode": { + "value": "Alert" + }, "parVirtualHubEnabled": { "value": true }, "parAzFirewallDnsProxyEnabled": { "value": true }, + "parAzFirewallDnsServers": { + "value": [] + }, "parVirtualWanName": { "value": "alz-vwan-chinaeast2" }, diff --git a/dependencies/infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.min.json b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.min.json index bfb7101..653ed1b 100644 --- a/dependencies/infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.min.json +++ b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/parameters/mc-vwanConnectivity.parameters.min.json @@ -11,6 +11,9 @@ "parAzFirewallTier": { "value": "Standard" }, + "parAzFirewallIntelMode": { + "value": "Alert" + }, "parVirtualHubEnabled": { "value": true }, diff --git a/dependencies/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json index d776c3a..34c8261 100644 --- a/dependencies/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json +++ b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json @@ -11,12 +11,18 @@ "parAzFirewallTier": { "value": "Standard" }, + "parAzFirewallIntelMode": { + "value": "Alert" + }, "parVirtualHubEnabled": { "value": true }, "parAzFirewallDnsProxyEnabled": { "value": true }, + "parAzFirewallDnsServers": { + "value": [] + }, "parVirtualWanName": { "value": "alz-vwan-eastus" }, @@ -84,6 +90,7 @@ "privatelink.azurecr.io", "privatelink.azure-devices.net", "privatelink.azure-devices-provisioning.net", + "privatelink.azuredatabricks.net", "privatelink.azurehdinsight.net", "privatelink.azurehealthcareapis.com", "privatelink.azurestaticapps.net", @@ -149,6 +156,9 @@ "Environment": "Live" } }, + "parVirtualNetworkIdToLinkFailover": { + "value": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/HUB_Networking_POC/providers/Microsoft.Network/virtualNetworks/alz-hub-eastus-failover" + }, "parTelemetryOptOut": { "value": false } diff --git a/dependencies/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.min.json b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.min.json index bdfe034..a9ee9ea 100644 --- a/dependencies/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.min.json +++ b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.min.json @@ -8,6 +8,9 @@ "parAzFirewallTier": { "value": "Standard" }, + "parAzFirewallIntelMode": { + "value": "Alert" + }, "parVirtualHubEnabled": { "value": true }, diff --git a/dependencies/infra-as-code/bicep/modules/vwanConnectivity/samples/baseline.sample.bicep b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/samples/baseline.sample.bicep index ebff7ad..1b7bfb3 100644 --- a/dependencies/infra-as-code/bicep/modules/vwanConnectivity/samples/baseline.sample.bicep +++ b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/samples/baseline.sample.bicep @@ -21,17 +21,18 @@ module minimum_vwan_conn '../vwanConnectivity.bicep' = { params: { parLocation: parLocation parAzFirewallTier: 'Standard' + parAzFirewallIntelMode: 'Alert' parVirtualHubEnabled: true - parVirtualWanHubs:[{ - parVpnGatewayEnabled: true - parExpressRouteGatewayEnabled: true - parAzFirewallEnabled: true - parVirtualHubAddressPrefix: '10.100.0.0/23' - parHubLocation: 'centralus' - parhubRoutingPreference: 'ExpressRoute' //allowed values are 'ASN','VpnGateway','ExpressRoute' - parvirtualRouterAutoScaleConfiguration: 2 //minimum capacity should be between 2 to 50 - parVirtualHubRoutingIntentDestinations: [] - }] + parVirtualWanHubs: [ { + parVpnGatewayEnabled: true + parExpressRouteGatewayEnabled: true + parAzFirewallEnabled: true + parVirtualHubAddressPrefix: '10.100.0.0/23' + parHubLocation: 'centralus' + parhubRoutingPreference: 'ExpressRoute' //allowed values are 'ASN','VpnGateway','ExpressRoute' + parvirtualRouterAutoScaleConfiguration: 2 //minimum capacity should be between 2 to 50 + parVirtualHubRoutingIntentDestinations: [] + } ] parAzFirewallDnsProxyEnabled: true parVirtualWanName: '${parCompanyPrefix}-vwan-${parLocation}' parVirtualWanHubName: '${parCompanyPrefix}-vhub' @@ -71,6 +72,7 @@ module minimum_vwan_conn '../vwanConnectivity.bicep' = { 'privatelink.azurecr.io' 'privatelink.azure-devices.net' 'privatelink.azure-devices-provisioning.net' + 'privatelink.azuredatabricks.net' 'privatelink.azurehdinsight.net' 'privatelink.azurehealthcareapis.com' 'privatelink.azurestaticapps.net' diff --git a/dependencies/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep index 6ef9360..84e683c 100644 --- a/dependencies/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep +++ b/dependencies/infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep @@ -15,12 +15,23 @@ param parCompanyPrefix string = 'alz' ]) param parAzFirewallTier string = 'Standard' +@sys.description('The Azure Firewall Threat Intelligence Mode. If not set, the default value is Alert.') +@allowed([ + 'Alert' + 'Deny' + 'Off' +]) +param parAzFirewallIntelMode string = 'Alert' + @sys.description('Switch to enable/disable Virtual Hub deployment.') param parVirtualHubEnabled bool = true @sys.description('Switch to enable/disable Azure Firewall DNS Proxy.') param parAzFirewallDnsProxyEnabled bool = true +@sys.description('Array of custom DNS servers used by Azure Firewall') +param parAzFirewallDnsServers array = [] + @sys.description('Prefix Used for Virtual WAN.') param parVirtualWanName string = '${parCompanyPrefix}-vwan-${parLocation}' @@ -105,6 +116,7 @@ param parPrivateDnsZones array = [ 'privatelink.azurecr.io' 'privatelink.azure-devices.net' 'privatelink.azure-devices-provisioning.net' + 'privatelink.azuredatabricks.net' 'privatelink.azurehdinsight.net' 'privatelink.azurehealthcareapis.com' 'privatelink.azurestaticapps.net' @@ -165,6 +177,9 @@ param parPrivateDnsZoneAutoMergeAzureBackupZone bool = true @sys.description('Resource ID of VNet for Private DNS Zone VNet Links') param parVirtualNetworkIdToLink string = '' +@sys.description('Resource ID of Failover VNet for Private DNS Zone VNet Failover Links') +param parVirtualNetworkIdToLinkFailover string = '' + @sys.description('Tags you would like to be applied to all resources in this module.') param parTags object = {} @@ -178,6 +193,9 @@ var varCuaid = '7f94f23b-7a59-4a5c-9a8d-2a253a566f61' var varZtnP1CuaId = '3ab23b1e-c5c5-42d4-b163-1402384ba2db' var varZtnP1Trigger = (parDdosEnabled && !(contains(map(parVirtualWanHubs, hub => hub.parAzFirewallEnabled), false)) && (parAzFirewallTier == 'Premium')) ? true : false +// Azure Firewalls in Hubs +var varAzureFirewallInHubs = filter(parVirtualWanHubs, hub => hub.parAzFirewallEnabled == true) + // Virtual WAN resource resource resVwan 'Microsoft.Network/virtualWans@2023-04-01' = { name: parVirtualWanName @@ -286,13 +304,16 @@ resource resFirewallPolicies 'Microsoft.Network/firewallPolicies@2023-02-01' = i sku: { tier: parAzFirewallTier } + threatIntelMode: 'Alert' } : { dnsSettings: { enableProxy: parAzFirewallDnsProxyEnabled + servers: parAzFirewallDnsServers } sku: { tier: parAzFirewallTier } + threatIntelMode: parAzFirewallIntelMode } } @@ -337,6 +358,7 @@ module modPrivateDnsZones '../privateDnsZones/privateDnsZones.bicep' = if (parPr parPrivateDnsZones: parPrivateDnsZones parPrivateDnsZoneAutoMergeAzureBackupZone: parPrivateDnsZoneAutoMergeAzureBackupZone parVirtualNetworkIdToLink: parVirtualNetworkIdToLink + parVirtualNetworkIdToLinkFailover: parVirtualNetworkIdToLinkFailover } } @@ -364,9 +386,15 @@ output outVirtualHubName array = [for (hub, i) in parVirtualWanHubs: { output outVirtualHubId array = [for (hub, i) in parVirtualWanHubs: { virtualhubid: resVhub[i].id }] + // Output DDoS Plan ID output outDdosPlanResourceId string = resDdosProtectionPlan.id // Output Private DNS Zones output outPrivateDnsZones array = (parPrivateDnsZonesEnabled ? modPrivateDnsZones.outputs.outPrivateDnsZones : []) output outPrivateDnsZonesNames array = (parPrivateDnsZonesEnabled ? modPrivateDnsZones.outputs.outPrivateDnsZonesNames : []) + +// Output Azure Firewall Private IP's +output outAzFwPrivateIps array = [for (hub, i) in varAzureFirewallInHubs: { + '${parVirtualWanHubName}-${hub.parHubLocation}': resAzureFirewall[i].properties.hubIPAddresses.privateIPAddress +}] diff --git a/dependencies/infra-as-code/bicep/orchestration/hubPeeredSpoke/generateddocs/hubPeeredSpoke.bicep.md b/dependencies/infra-as-code/bicep/orchestration/hubPeeredSpoke/generateddocs/hubPeeredSpoke.bicep.md index 4d20b5a..cde35c4 100644 --- a/dependencies/infra-as-code/bicep/orchestration/hubPeeredSpoke/generateddocs/hubPeeredSpoke.bicep.md +++ b/dependencies/infra-as-code/bicep/orchestration/hubPeeredSpoke/generateddocs/hubPeeredSpoke.bicep.md @@ -7,7 +7,7 @@ Orchestration module used to create and configure a spoke network to deliver the Parameter name | Required | Description -------------- | -------- | ----------- parLocation | No | The region to deploy all resources into. -parTopLevelManagementGroupPrefix | No | Prefix for the management group hierarchy. +parTopLevelManagementGroupPrefix | No | Prefix used for the management group hierarchy. parTopLevelManagementGroupSuffix | No | Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix parPeeredVnetSubscriptionId | No | Subscription Id to the Virtual Network Hub object. Default: Empty String parTags | No | Array of Tags to be applied to all resources in module. Default: Empty Object @@ -41,7 +41,7 @@ The region to deploy all resources into. ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Prefix for the management group hierarchy. +Prefix used for the management group hierarchy. - Default value: `alz` diff --git a/dependencies/infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.bicep b/dependencies/infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.bicep index 5b5fbad..e59e337 100644 --- a/dependencies/infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.bicep +++ b/dependencies/infra-as-code/bicep/orchestration/hubPeeredSpoke/hubPeeredSpoke.bicep @@ -8,7 +8,7 @@ metadata description = 'Orchestration module used to create and configure a spok @sys.description('The region to deploy all resources into.') param parLocation string = deployment().location -@sys.description('Prefix for the management group hierarchy.') +@sys.description('Prefix used for the management group hierarchy.') @minLength(2) @maxLength(10) param parTopLevelManagementGroupPrefix string = 'alz' diff --git a/dependencies/infra-as-code/bicep/orchestration/mgDiagSettingsAll/generateddocs/mgDiagSettingsAll.bicep.md b/dependencies/infra-as-code/bicep/orchestration/mgDiagSettingsAll/generateddocs/mgDiagSettingsAll.bicep.md index a0a5bd9..c079b87 100644 --- a/dependencies/infra-as-code/bicep/orchestration/mgDiagSettingsAll/generateddocs/mgDiagSettingsAll.bicep.md +++ b/dependencies/infra-as-code/bicep/orchestration/mgDiagSettingsAll/generateddocs/mgDiagSettingsAll.bicep.md @@ -6,7 +6,7 @@ Orchestration module that helps enable Diagnostic Settings on the Management Gro Parameter name | Required | Description -------------- | -------- | ----------- -parTopLevelManagementGroupPrefix | No | Prefix used for the management group hierarchy in the managementGroups module. +parTopLevelManagementGroupPrefix | No | Prefix used for the management group hierarchy. parTopLevelManagementGroupSuffix | No | Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix parLandingZoneMgChildren | No | Array of strings to allow additional or different child Management Groups of the Landing Zones Management Group. parPlatformMgChildren | No | Array of strings to allow additional or different child Management Groups of the Platform Management Group. @@ -20,7 +20,7 @@ parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment t ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Prefix used for the management group hierarchy in the managementGroups module. +Prefix used for the management group hierarchy. - Default value: `alz` diff --git a/dependencies/infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep b/dependencies/infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep index 7c8e8e3..efdaecb 100644 --- a/dependencies/infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep +++ b/dependencies/infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep @@ -3,7 +3,7 @@ targetScope = 'managementGroup' metadata name = 'ALZ Bicep orchestration - Management Group Diagnostic Settings - ALL' metadata description = 'Orchestration module that helps enable Diagnostic Settings on the Management Group hierarchy as was defined during the deployment of the Management Group module' -@sys.description('Prefix used for the management group hierarchy in the managementGroups module.') +@sys.description('Prefix used for the management group hierarchy.') @minLength(2) @maxLength(10) param parTopLevelManagementGroupPrefix string = 'alz' diff --git a/dependencies/infra-as-code/bicep/orchestration/subPlacementAll/generateddocs/subPlacementAll.bicep.md b/dependencies/infra-as-code/bicep/orchestration/subPlacementAll/generateddocs/subPlacementAll.bicep.md index 35d2c95..9040b0a 100644 --- a/dependencies/infra-as-code/bicep/orchestration/subPlacementAll/generateddocs/subPlacementAll.bicep.md +++ b/dependencies/infra-as-code/bicep/orchestration/subPlacementAll/generateddocs/subPlacementAll.bicep.md @@ -6,7 +6,7 @@ Orchestration module that helps to define where all Subscriptions should be plac Parameter name | Required | Description -------------- | -------- | ----------- -parTopLevelManagementGroupPrefix | No | Prefix for the management group hierarchy. This management group will be created as part of the deployment. +parTopLevelManagementGroupPrefix | No | Prefix used for the management group hierarchy. parTopLevelManagementGroupSuffix | No | Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix parIntRootMgSubs | No | An array of Subscription IDs to place in the Intermediate Root Management Group. Default: Empty Array parPlatformMgSubs | No | An array of Subscription IDs to place in the Platform Management Group. Default: Empty Array @@ -28,7 +28,7 @@ parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment t ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Prefix for the management group hierarchy. This management group will be created as part of the deployment. +Prefix used for the management group hierarchy. - Default value: `alz` diff --git a/dependencies/infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep b/dependencies/infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep index 63b755d..3b81830 100644 --- a/dependencies/infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep +++ b/dependencies/infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep @@ -3,7 +3,7 @@ targetScope = 'managementGroup' metadata name = 'ALZ Bicep orchestration - Subscription Placement - ALL' metadata description = 'Orchestration module that helps to define where all Subscriptions should be placed in the ALZ Management Group Hierarchy' -@sys.description('Prefix for the management group hierarchy. This management group will be created as part of the deployment.') +@sys.description('Prefix used for the management group hierarchy.') @minLength(2) @maxLength(10) param parTopLevelManagementGroupPrefix string = 'alz' diff --git a/docs/01-Overview.md b/docs/01-Overview.md index 7f231be..e329fff 100644 --- a/docs/01-Overview.md +++ b/docs/01-Overview.md @@ -1,27 +1,27 @@ -# Understanding the Sovereign Landing Zone (SLZ) Preview +# Understanding the Sovereign Landing Zone (SLZ) -## The Sovereign Landing Zone (SLZ) Preview +## The Sovereign Landing Zone (SLZ) -The [Sovereign Landing Zone Preview](https://learn.microsoft.com/industry/sovereignty/slz-overview) is a [Microsoft Cloud for Sovereignty](https://learn.microsoft.com/industry/sovereignty/) offering that is an opinionated variant of the [Azure Landing Zone](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/), which provides an enterprise scale cloud infrastructure designed to help an organization meet their sovereignty requirements such as those related to operational control of data at rest, in transit, and in use. +The [Sovereign Landing Zone](https://learn.microsoft.com/industry/sovereignty/slz-overview) is a [Microsoft Cloud for Sovereignty](https://microsoft.com/sovereignty) offering that is an opinionated variant of the [Azure Landing Zone](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/), which provides an enterprise scale cloud infrastructure designed to help an organization meet their sovereignty requirements such as those related to operational control of data at rest, in transit, and in use. -With the SLZ Preview a customer can create a cloud architecture that provides controls for service location management, [customer managed keys](https://learn.microsoft.com/azure/security/fundamentals/key-management) and [confidential computing](https://learn.microsoft.com/azure/confidential-computing/overview-azure-products) as core components of the architecture. This enterprise scale cloud architecture bundled with policies and compliance reporting enables customers to create a platform for the secure and sovereign deployment of their workloads. +With the SLZ a customer can create a cloud architecture that provides controls for service location management, [customer managed keys](https://learn.microsoft.com/azure/security/fundamentals/key-management) and [confidential computing](https://learn.microsoft.com/azure/confidential-computing/overview-azure-products) as core components of the architecture. This enterprise scale cloud architecture bundled with policies and compliance reporting enables customers to create a platform for the secure and sovereign deployment of their workloads. -## Differences between the Sovereign Landing Zone Preview and an Azure Landing Zone +## Differences between the Sovereign Landing Zone and an Azure Landing Zone -The SLZ Preview comes with the [Sovereignty Policy Baseline](scenarios/Sovereignty-Policy-Baseline.md) built-in and enables other policy sets such as the [ALZ Policies](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies) to be deployed within the SLZ Preview and policy sets that support control frameworks such as [NIST 800-171 rev2](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-171-r2) and [Microsoft Cloud Security Benchmark](https://learn.microsoft.com/security/benchmark/azure/overview) to be layered on top of the SLZ Preview. With the Sovereignty Policy Baseline a customer can enforce the use of confidential computing and key management resources for appropriately implemented workloads to be deployed into confidential management groups allowing workload data to be protected at rest, in transit, and while in use thereby supporting an organization in achieving their data sovereignty goals. +The SLZ comes with the [Sovereignty Baseline policy initiatives](scenarios/Sovereignty-Baseline-Policy-Initiatives.md) built-in and enables other policy sets such as the [ALZ Policies](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies) to be deployed within the SLZ and policy sets that support control frameworks such as [NIST 800-171 rev2](https://learn.microsoft.com/azure/governance/policy/samples/nist-sp-800-171-r2) and [Microsoft Cloud Security Benchmark](https://learn.microsoft.com/security/benchmark/azure/overview) to be layered on top of the SLZ. With the Sovereignty Baseline policy initiatives a customer can enforce the use of confidential computing and key management resources for appropriately implemented workloads to be deployed into confidential management groups allowing workload data to be protected at rest, in transit, and while in use thereby supporting an organization in achieving their data sovereignty goals. -The SLZ Preview provides this through custom orchestration permitting an entire landing zone to be configured from a singular parameter file and deployed with a single command allowing organizations to quickly test out the SLZ Preview. +The SLZ provides this through custom orchestration permitting an entire landing zone to be configured from a singular parameter file and deployed with a single command allowing organizations to quickly test out the SLZ. -## Benefits of using Sovereign Landing Zone (SLZ) Preview +## Benefits of using Sovereign Landing Zone (SLZ) -Securing government workloads in a public cloud is challenging. The SLZ Preview automates the creation of a cloud environment where security and data sovereignty controls can be enforced by policies. The entire deployment is automated so that it can be integrated into existing pipelines as part of a mature DevSecOps ecosystem. +Securing government workloads in a public cloud is challenging. The SLZ automates the creation of a cloud environment where security and data sovereignty controls can be enforced by policies. The entire deployment is automated so that it can be integrated into existing pipelines as part of a mature DevSecOps ecosystem. ## Conclusion -If you need the scale and flexibility of the public cloud combined with the peace of mind of knowing that data is encrypted at rest, in transit, and while in use, then you can benefit from the SLZ Preview. View our [common scenarios](scenarios/README.md) for more details about how to use the SLZ Preview or follow the next steps to get started. +If you need the scale and flexibility of the public cloud combined with the peace of mind of knowing that data is encrypted at rest, in transit, and while in use, then you can benefit from the SLZ. View our [common scenarios](scenarios/README.md) for more details about how to use the SLZ or follow the next steps to get started. ## Next step -[Architecture of the Sovereign Landing Zone Preview.](02-Architecture.md) +[Architecture of the Sovereign Landing Zone.](02-Architecture.md) -### [Preview Notice](./PREVIEW.md) +### [Microsoft Legal Notice](./NOTICE.md) diff --git a/docs/02-Architecture.md b/docs/02-Architecture.md index e4a155e..8a5ca61 100644 --- a/docs/02-Architecture.md +++ b/docs/02-Architecture.md @@ -1,10 +1,10 @@ -# Architecture of the Sovereign Landing Zone (SLZ) Preview +# Architecture of the Sovereign Landing Zone (SLZ) ## Overview -The SLZ Preview architecture is derived from the Azure Landing Zone architecture. For detailed information about the Azure Landing Zone please visit [here.](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/) +The SLZ architecture is derived from the Azure Landing Zone architecture. For detailed information about the Azure Landing Zone please visit [here.](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/) -The SLZ Preview is composed of a management group hierarchy along with common platform resources to facilitate networking, logging, and managed service identities. Application workloads can be deployed into a SLZ Preview environment in 1 of the 4 default landing zones: +The SLZ is composed of a management group hierarchy along with common platform resources to facilitate networking, logging, and managed service identities. Application workloads can be deployed into a SLZ environment in 1 of the 4 default landing zones: - **Corp** - Non-internet facing, non-confidential workloads - **Online** - Internet facing, non-confidential workloads @@ -13,12 +13,12 @@ The SLZ Preview is composed of a management group hierarchy along with common pl The assigned policies in each of the landing zones are designed to support the behavior and connectivity profiles of the workloads deployed. Organizations can [create new management groups](scenarios/Expanding-SLZ-ManagementGroups.md) and further customize the assigned policies as is necessary. -The SLZ Preview deploys under the [tenant root group](https://learn.microsoft.com/azure/governance/management-groups/overview#root-management-group-for-each-directory) in Azure, so it can support brownfield deployments, greenfield deployments, and multiple SLZ Preview deployments within the same tenant based on customer need. The SLZ Preview can also be deployed to an arbitrary [child management group](scenarios/Piloting-SLZ.md), which is better suited for conducting a proof-of-concept. +The SLZ deploys under the [tenant root group](https://learn.microsoft.com/azure/governance/management-groups/overview#root-management-group-for-each-directory) in Azure, so it can support brownfield deployments, greenfield deployments, and multiple SLZ deployments within the same tenant based on customer need. The SLZ can also be deployed to an arbitrary [child management group](scenarios/Piloting-SLZ.md), which is better suited for conducting a proof-of-concept. ![SLZ Initial Architecture Diagram](images/slz-initial-architecture.png) ## Next Step -[Overview of the Sovereign Landing Zone Preview deployment](03-Deployment-Overview.md) +[Overview of the Sovereign Landing Zone deployment](03-Deployment-Overview.md) -### [Preview Notice](./PREVIEW.md) +### [Legal Notice](./NOTICE.md) diff --git a/docs/03-Deployment-Overview.md b/docs/03-Deployment-Overview.md index 0ccd0b6..b0f77d3 100644 --- a/docs/03-Deployment-Overview.md +++ b/docs/03-Deployment-Overview.md @@ -1,21 +1,21 @@ -# Key Components of the Sovereign Landing Zone Preview Deployment +# Key Components of the Sovereign Landing Zone Deployment ## Components -The Sovereign Landing Zone Preview consists of several components that are deployed as part of a full deployment. Each of the components are described below: +The Sovereign Landing Zone consists of several components that are deployed as part of a full deployment. Each of the components are described below: -1. **Bootstrap**: Sets up the management group hierarchy and creates the subscriptions as dictated by the architecture of the SLZ Preview. These are deployed under the tenant root group of the Azure customer tenant by default, although they can also be deployed under any [child management group](scenarios/Piloting-SLZ.md). +1. **Bootstrap**: Sets up the management group hierarchy and creates the subscriptions as dictated by the architecture of the SLZ. These are deployed under the tenant root group of the Azure customer tenant by default, although they can also be deployed under any [child management group](scenarios/Piloting-SLZ.md). -2. **Platform**: Sets up the hub network and logging resources used by the SLZ Preview platform and workloads. +2. **Platform**: Sets up the hub network and logging resources used by the SLZ platform and workloads. -3. **Compliance**: Creates definitions and assigns the [default policy sets](scenarios/Sovereignty-Policy-Baseline.md) and provided custom policies to be enforced in the environment. For information on how to provide custom policies to the SLZ Preview read [here.](09-Customize-Policies.md) +3. **Compliance**: Creates definitions and assigns the [default policy sets](scenarios/Sovereignty-Baseline-Policy-Initiatives.md) and provided custom policies to be enforced in the environment. For information on how to provide custom policies to the SLZ read [here.](09-Customize-Policies.md) 4. **Dashboard**: Provides customers with a visual representation of their Azure policy compliance. For additional information about the dashboard please read [here.](10-Compliance-Dashboard.md) -Once the deployment is complete, the customer will have the Sovereign Landing Zone Preview setup for their use, with a base set of policies applied. Customers can then begin to migrate workloads and apply additional policies as necessary. For more information about how these deployment steps can be ran individually or how a deployment can be automated, checkout the [SLZ Preview Pipeline Deployments](scenarios/Pipeline-Deployments.md) doc. +Once the deployment is complete, the customer will have the Sovereign Landing Zone setup for their use, with a base set of policies applied. Customers can then begin to migrate workloads and apply additional policies as necessary. For more information about how these deployment steps can be ran individually or how a deployment can be automated, checkout the [SLZ Pipeline Deployments](scenarios/Pipeline-Deployments.md) doc. ## Next step [Getting started with the GitHub Repository](04-Repository-Setup.md) -### [Preview Notice](./PREVIEW.md) +### [Microsoft Legal Notice](./NOTICE.md) diff --git a/docs/04-Repository-Setup.md b/docs/04-Repository-Setup.md index 560cde1..1fb0905 100644 --- a/docs/04-Repository-Setup.md +++ b/docs/04-Repository-Setup.md @@ -1,6 +1,6 @@ -# Set up the Sovereign Landing Zone Preview Repository +# Set up the Sovereign Landing Zone Repository -Below are some options for setting up the [SLZ Preview GitHub repository](https://github.com/Azure/sovereign-landing-zone) for your use. We recommend that you use the process that is best suited for your organization. +Below are some options for setting up the [SLZ GitHub repository](https://github.com/Azure/sovereign-landing-zone) for your use. We recommend that you use the process that is best suited for your organization. ## Download the GitHub Repository @@ -14,7 +14,7 @@ git clone https://github.com/Azure/sovereign-landing-zone #### Fork Repository ![Fork Repository screenshot](images/fork-github-repo.png) -The version of the SLZ Preview being used can be determined from the [git tag](https://git-scm.com/docs/git-tag) or the [release version](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases) the clone or fork was made from. +The version of the SLZ being used can be determined from the [git tag](https://git-scm.com/docs/git-tag) or the [release version](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases) the clone or fork was made from. ### Option 2 @@ -22,10 +22,10 @@ If you do not plan on contributing or do not intend to receive updates, you can ![Screenshot of .zip download](images/download-github-repo.png) -The version of the SLZ Preview being used can be determined from the [release version](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases) the zip file was downloaded from. The version number will be in the file name of the zip file. +The version of the SLZ being used can be determined from the [release version](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases) the zip file was downloaded from. The version number will be in the file name of the zip file. ## Next step [Confirm your Permissions and necessary tooling](05-Permissions-Tooling.md) -### [Preview Notice](./PREVIEW.md) +### [Microsoft Legal Notice](./NOTICE.md) diff --git a/docs/05-Permissions-Tooling.md b/docs/05-Permissions-Tooling.md index 17c6d86..35b926c 100644 --- a/docs/05-Permissions-Tooling.md +++ b/docs/05-Permissions-Tooling.md @@ -1,26 +1,26 @@ # Permissions and Tooling -This article will walk through the required Azure permissions, setting up local tooling, and the validation steps needed for a successful deployment of the Sovereign Landing Zone Preview. +This article will walk through the required Azure permissions, setting up local tooling, and the validation steps needed for a successful deployment of the Sovereign Landing Zone. ## Permissions -The account or service principal used to deploy the SLZ Preview must have both of the following: +The account or service principal used to deploy the SLZ must have both of the following: 1. Ability to create subscriptions programmatically * The [Create Azure subscriptions programmatically](https://learn.microsoft.com/azure/cost-management-billing/manage/programmatically-create-subscription) documentation describes the types of Azure agreements that have REST APIs that will enable automatic subscription creation. * This document also provides links to the permissions required each Azure agreement type. The agreement type can be found in the [Cost Management + Billing](https://learn.microsoft.com/azure/cost-management-billing/manage/view-all-accounts#check-the-type-of-your-account) blade in the portal. - * Other types of Azure agreements will require using your normal subscription creation process that may be manual. More details can be found in our [additional setup steps](scenarios/Using-Existing-Subscriptions.md) doc. + * Bring-Your-Own subscriptions options could be most suitable for other types of Azure agreements or internal processes that necessitate a manual subscription creation process be used. More details can be found in our [additional setup steps](scenarios/Using-Existing-Subscriptions.md) doc. 2. Azure permissions to create management groups, Azure resources, and manage policies. * For smaller organizations organizations or ones that are new to Azure, [Global Administrator](https://learn.microsoft.com/azure/active-directory/roles/permissions-reference#global-administrator) permissions with [elevated Azure permissions](https://learn.microsoft.com/azure/role-based-access-control/elevate-access-global-admin) will provide sufficient access. * These may not be reasonable permissions to have within many organizations. * Otherwise, the management group permissions will need to be either [Owner](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#owner), [Contributor](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#contributor), or [Management Group Contributor](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#management-group-contributor) at either the [Tenant Root Group](https://learn.microsoft.com/azure/governance/management-groups/overview#hierarchy-of-management-groups-and-subscriptions) or the child management group being deployed within. - * These broad permissions are necessary to deploy all types of Azure resources that the SLZ Preview will attempt to create. The general owner or contributor roles are recommended over using a set of resource specific owner or contributor roles because the SLZ preview deploys a wide spectrum of Azure resources. - * **Note** this is a very broad set of permissions and should be given to only the identities being used to deploy the SLZ Preview. These broad permissions are needed to fully deploy all resources within the SLZ Preview environment, but they should not be needed by operators and engineers working within a deployed SLZ Preview. Review our documentation around [Azure identity and access management](https://learn.microsoft.com/azure/security/fundamentals/identity-management-best-practices) for best practices. + * These broad permissions are necessary to deploy all types of Azure resources that the SLZ will attempt to create. The general owner or contributor roles are recommended over using a set of resource specific owner or contributor roles because the SLZ deploys a wide spectrum of Azure resources. + * **Note** this is a very broad set of permissions and should be given to only the identities being used to deploy the SLZ. These broad permissions are needed to fully deploy all resources within the SLZ environment, but they should not be needed by operators and engineers working within a deployed SLZ. Review the documentation around [Azure identity and access management](https://learn.microsoft.com/azure/security/fundamentals/identity-management-best-practices) for best practices. * And the policy management permissions will need to be either [Security Admin](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#security-admin) or [Resource Policy Contributor](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#resource-policy-contributor) if the above [Owner](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#owner) permission is not provided. ## Tooling (`Required`) -The following local tooling must be installed to deploy the SLZ Preview: +The following local tooling must be installed to deploy the SLZ: * PowerShell * At least version 7.0 * Azure CLI @@ -52,11 +52,11 @@ Most machines will require installing Azure Bicep. You may run into upgrade issu Azure PowerShell is a set of cmdlets for managing Azure resources directly from PowerShell. Azure PowerShell is designed to make it easy to learn and get started with, but provides powerful features for automation. You should use your organization's recommended installation and upgrade process for Azure PowerShell, or [download and upgrade](https://learn.microsoft.com/powershell/azure/install-azure-powershell?view=azps-10.4.1) it through Microsoft's recommended process. -Most machines will require upgrading PowerShell. +Most machines will require upgrading or installing the Azure PowerShell module. ## Validation -The [Confirm-SovereignLandingZonePrerequisites.ps1](../orchestration/scripts/Confirm-SovereignLandingZonePrerequisites.ps1) will validate that all the necessary prerequisites are in place to deploy the SLZ Preview including both Azure permissions and local tooling. +The [Confirm-SovereignLandingZonePrerequisites.ps1](../orchestration/scripts/Confirm-SovereignLandingZonePrerequisites.ps1) will validate that all the necessary prerequisites are in place to deploy the SLZ including both Azure permissions and local tooling. This script *will check the versions* of the required tooling and will recommend upgrades but the user must manually install or upgrade the required tooling. The script will provide the same links found on this page to install the tools that are missing or out of date. @@ -68,12 +68,14 @@ This script *will attempt to elevate your permissions* if required for a [tenant ```./Confirm-SovereignLandingZonePrerequisites.ps1 -parIsSLZDeployedAtTenantRoot $false``` -You may need to update the PowerShell [execution policy](https://learn.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3) depending on your method of downloading the SLZ Preview. If the script runs successfully, then all prerequisites are met, and you may move to the next step. +You may need to update the PowerShell [execution policy](https://learn.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3) depending on your method of downloading the SLZ. You should use your organization's recommended PowerShell execution policy settings, or work with your organization's security team to determine the appropriate [execution policy](https://learn.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3) and [code signing](https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_signing?view=powershell-7.3) settings to use. + +If the script runs successfully, then all prerequisites are met, and you may move to the next step. ## Next step -**For new deployments**, proceed to [configure the parameters required for the SLZ Preview deployment](07-Deployment-Parameters.md). +**For new deployments** or to **update existing deployments**, proceed to [configure the parameters required for the SLZ deployment](07-Deployment-Parameters.md). -If you are an **existing SLZ Preview customer** and would like to upgrade to the latest version, please follow the instructions in [Upgrade Existing SLZ Preview.](06-Upgrade-Existing-SLZ-Preview.md) +If you are an **existing SLZ Preview customer** (most users will not be) and would like to upgrade to the latest version, please follow the instructions in [Upgrade Existing SLZ Preview.](06-Upgrade-Existing-SLZ-Preview.md) -### [Preview Notice](./PREVIEW.md) +### [Microsoft Legal Notice](./NOTICE.md) diff --git a/docs/06-Upgrade-Existing-SLZ-Preview.md b/docs/06-Upgrade-Existing-SLZ-Preview.md index f3b7493..1e72fd1 100644 --- a/docs/06-Upgrade-Existing-SLZ-Preview.md +++ b/docs/06-Upgrade-Existing-SLZ-Preview.md @@ -1,12 +1,12 @@ # Upgrading an existing Sovereign Landing Zone from Private Preview -**Note:** This document is intended for customers that have an existing SLZ Preview deployment from one of our Private Previews. If you are deploying the SLZ Preview for the first time or as part of the Public Preview, please go to [Deployment Parameters](07-Deployment-Parameters.md) to continue. +**Note:** This document is intended for customers that have an existing SLZ Preview deployment from one of our Private Previews. Most users will not have this, so if you are deploying the SLZ for the first time or upgrading from one of release versions, please go to [Deployment Parameters](07-Deployment-Parameters.md) to continue. -We are planning for all releases starting with Public Preview to have automatic upgrade steps that require no manual user interaction. However, please review each release note for more details. There are breaking changes introduced with Public Preview that prevent Private Preview upgrades. +We are planning for all future release versions to have automatic upgrade steps that require no manual user interaction. However, please review each release note for more details. There are breaking changes introduced with Public Preview that prevent Private Preview upgrades. ## Parameter File Changes -Several parameters were changed, renamed, removed, or added. We recommend using the template parameter file provided in the Public Preview repository and updating the values there with the ones that were being used in your Private Preview deployment based upon the guidance below. +Several parameters were changed, renamed, removed, or added. We recommend using the template parameter file provided in this repository and updating the values there with the ones that were being used in your Private Preview deployment based upon the guidance below. Any parameter that is not mentioned below can have its value copied over without modification. @@ -15,8 +15,8 @@ Any parameter that is not mentioned below can have its value copied over without | | Parameter Name | Status | Action | Notes | |----|----------------|--------|--------|-------| | 1 |parTopLevelManagementGroupSuffix|Renamed|Copy the value to the `parDeploymentSuffix` parameter.|This parameter is now called `parDeploymentSuffix` to better reflect its actual usage.| -| 2 |parBillingScopeAccountId|Combined|Record this parameter value and reference the new format in the [deployment parameter doc.](./07-Deployment-Parameters.md)|The parameter has been merged with `parEnrollmentAccountId` and is now called `parSubscriptionBillingScope` to allow for non-EA account types to deploy the SLZ Preview.| -| 3 |parEnrollmentAccountId|Combined|Record this parameter value and reference the new format in the [deployment parameter doc.](./07-Deployment-Parameters.md)|The parameter has been merged with `parBillingScopeAccountId` and is now called `parSubscriptionBillingScope` to allow for non-EA account types to deploy the SLZ Preview.| +| 2 |parBillingScopeAccountId|Combined|Record this parameter value and reference the new format in the [deployment parameter doc.](./07-Deployment-Parameters.md)|The parameter has been merged with `parEnrollmentAccountId` and is now called `parSubscriptionBillingScope` to allow for non-EA account types to deploy the SLZ.| +| 3 |parEnrollmentAccountId|Combined|Record this parameter value and reference the new format in the [deployment parameter doc.](./07-Deployment-Parameters.md)|The parameter has been merged with `parBillingScopeAccountId` and is now called `parSubscriptionBillingScope` to allow for non-EA account types to deploy the SLZ.| | 4 |parEnvironmentType|Removed|None|This parameter has been removed as it is not being used.| ### Parameters Added @@ -24,10 +24,10 @@ Any parameter that is not mentioned below can have its value copied over without | | Parameter Name | Status | Action | Notes | |----|----------------|--------|--------|-------| | 1 |parDeploymentSuffix|Renamed|Copy the value from `parTopLevelManagementGroupSuffix` parameter.|This parameter was called `parTopLevelManagementGroupSuffix` but it is used for more than the management group suffix.| -| 2 |parTopLevelManagementGroupParentId|Added|None, optional parameter.|This parameter enables SLZ Preview deployments outside the tenant root group level. [More details here.](./scenarios/Piloting-SLZ.md)| -| 3 |parSubscriptionBillingScope|Combined|Copy the `parBillingScopeAccountId` and `parEnrollmentAccountId` values into the new format.|This parameter is a combination of `parBillingScopeAccountId` and `parEnrollmentAccountId` to allow for non-EA account types to deploy the SLZ Preview. More details in the [deployment parameter doc.](./07-Deployment-Parameters.md)| +| 2 |parTopLevelManagementGroupParentId|Added|None, optional parameter.|This parameter enables SLZ deployments outside the tenant root group level. [More details here.](./scenarios/Piloting-SLZ.md)| +| 3 |parSubscriptionBillingScope|Combined|Copy the `parBillingScopeAccountId` and `parEnrollmentAccountId` values into the new format.|This parameter is a combination of `parBillingScopeAccountId` and `parEnrollmentAccountId` to allow for non-EA account types to deploy the SLZ. More details in the [deployment parameter doc.](./07-Deployment-Parameters.md)| | 4 |parCustomSubnets|Added|None, optional parameter.|This parameter allows for more subnets to be added to the hub network. More details in the [deployment parameter doc.](./07-Deployment-Parameters.md)| -| 5 |parPolicyEffect|Added|None, optional parameter.|This parameter allows changing the [Sovereignty Policy Baseline](./scenarios/Sovereignty-Policy-Baseline.md) assignment effect. More details in the [deployment parameter doc.](./07-Deployment-Parameters.md)| +| 5 |parPolicyEffect|Added|None, optional parameter.|This parameter allows changing the [Sovereignty Baseline policy initiatives](./scenarios/Sovereignty-Baseline-Policy-Initiatives.md) assignment effect. More details in the [deployment parameter doc.](./07-Deployment-Parameters.md)| | 6 |parDeployLogAnalyticsWorkspace|Added|None, optional parameter.|This parameter toggles between deploying or not deploying Log Analytics Workspace. More details in the [deployment parameter doc.](./07-Deployment-Parameters.md)| | 7 |parCustomerPolicySets|Added|None, optional parameter.|This parameter allows for assigning additional policies to the top-level management group scope. More details in the [deployment parameter doc.](./07-Deployment-Parameters.md)| | 8 |parTags|Added|None, optional parameter.|This parameter allows for customizing resource tagging. More details in the [deployment parameter doc.](./07-Deployment-Parameters.md)| @@ -49,19 +49,19 @@ Due to other Azure requirements around naming for Azure-managed resources or res ## Breaking Changes -For the most part, Azure resources cannot be renamed as the name is used as the unique identifier for the resource. By using a standardize naming convention for resources deployed by the SLZ Preview, we have changed these names from the Private version of the SLZ Preview, so existing resources cannot be used by the Public version of the SLZ Preview. +For the most part, Azure resources cannot be renamed as the name is used as the unique identifier for the resource. By using a standardize naming convention for resources deployed by the SLZ, we have changed these names from the Private Preview versions of the SLZ, so existing resources cannot be used by the current release versions of the SLZ. -To use the Public version of the SLZ Preview, we recommend the following: +To use the current release version of the SLZ, we recommend the following: 1. Start with the new parameter file template found in this repository. -2. Copy the parameter values from the Private Preview parameter file to the Public Preview template. +2. Copy the parameter values from the Private Preview parameter file to the current release template. * Update the parameter values as described above. 3. Make sure you are using a `parDeploymentPrefix` and `parDeploymentSuffix` set that is not used by an existing Private Preview deployment. -4. Deploy the SLZ Preview as described in the [following step](08-Deploy-SLZ-Preview.md). -5. Run all post-deployment customizations you've made against this new SLZ Preview deployment. +4. Deploy the current release version of the SLZ as described in the [following step](08-Deploy-SLZ.md). +5. Run all post-deployment customizations you've made against this new SLZ deployment. ## Next step -Proceed to [configure the parameters required for the SLZ Preview deployment](07-Deployment-Parameters.md) +Proceed to [configure the parameters required for the SLZ deployment](07-Deployment-Parameters.md) -### [Preview Notice](./PREVIEW.md) +### [Microsoft Legal Notice](./NOTICE.md) diff --git a/docs/07-Deployment-Parameters.md b/docs/07-Deployment-Parameters.md index c5d1c21..94d05a9 100644 --- a/docs/07-Deployment-Parameters.md +++ b/docs/07-Deployment-Parameters.md @@ -1,13 +1,13 @@ # Update required parameters -Before deployment of the Sovereign Landing Zone Preview, the `Required` parameters identified below must be reviewed. The parameter file contains defaults for some values as well as sample values for complex data structures. +Before deployment of the Sovereign Landing Zone, the `Required` parameters identified below must be reviewed. The parameter file contains defaults for some values as well as sample values for complex data structures. - 1. In the Sovereign Landing Zone Preview repository, navigate to the `/orchestration/scripts/parameters` folder. + 1. In the Sovereign Landing Zone repository, navigate to the `/orchestration/scripts/parameters` folder. 2. Open `sovereignLandingZone.parameters.json` in a text editor. 3. Review and update at least the required parameters in the `"value"`: `""` field. Reference [Parameter value descriptions](#parameter-value-descriptions) for guidance on the full parameters available. - * The SLZ Preview deployment script will prompt the user for required values that are missed, but it's recommended to put all values in the parameter file. + * The SLZ deployment script will prompt the user for required values that are missed, but it's recommended to put all values in the parameter file. 4. Save the file. @@ -17,12 +17,12 @@ This section contains descriptions and accepted values for all parameters within | | Parameter |Description | Guidance, examples | Used By | |----|---------------------|---------------|----------------------------------|---------| - | 1 | `Required` parDeploymentPrefix | Prefix added to all Azure resources created by the SLZ Preview. | 5 characters or less; can only contain letters, digits, '-', '.' or '_'. No other special characters supported.
e.g.: slz | all, bootstrap, compliance, platform, dashboard | - | 2 | `Required` parTopLevelManagementGroupName | The name of the top-level management group for the SLZ Preview. | e.g.: Sovereign Landing Zone | all, bootstrap | - | 3 | parDeploymentSuffix | Optional suffix that will be added to all Azure resources created by the the SLZ Preview. Use a '-' at the start of the suffix value if a dash is needed. | 5 characters or less
e.g. test1 | all, bootstrap, compliance, platform, dashboard | + | 1 | `Required` parDeploymentPrefix | Prefix added to all Azure resources created by the SLZ. | 5 characters or less; can only contain letters, digits, '-', '.' or '_'. No other special characters supported.
e.g.: slz | all, bootstrap, compliance, platform, dashboard | + | 2 | `Required` parTopLevelManagementGroupName | The name of the top-level management group for the SLZ. | e.g.: Sovereign Landing Zone | all, bootstrap | + | 3 | parDeploymentSuffix | Optional suffix that will be added to all Azure resources created by the the SLZ. Use a '-' at the start of the suffix value if a dash is needed. | 5 characters or less
e.g. test1 | all, bootstrap, compliance, platform, dashboard | | 4 | parTopLevelManagementGroupParentId | Optional parent for Management Group hierarchy, used as intermediate root Management Group parent, if specified. If empty (default) will deploy beneath Tenant Root Management Group. | Sample Format - /providers/Microsoft.Management/managementGroups/{mgId} | all, bootstrap | | 5 | `Required` parSubscriptionBillingScope | The full resource ID of billing scope associated to the EA, MCA or MPA account you wish to create the subscription in. | Sample Format (EA): /providers/Microsoft.Billing/BillingAccounts/{BillingAccountId}/enrollmentAccounts/{EnrollmentAccountId}
Sample Format (MCA): /providers/Microsoft.Billing/billingAccounts/{BillingAccountId}
Sample Format (MPA): /providers/Microsoft.Billing/billingAccounts/{BillingAccountId}
etc. | all, bootstrap | - | 6 | `Required` parCustomer | The name of the organization deploying the SLZ Preview to brand the compliance dashboard appropriately. | 128 characters or less
e.g.: Contoso | all, dashboard | + | 6 | `Required` parCustomer | The name of the organization deploying the SLZ to brand the compliance dashboard appropriately. | 128 characters or less
e.g.: Contoso | all, dashboard | | 7 | `Required` parDeploymentLocation | Location used for deploying Azure resources. | Azure region to use for deployments. *If Confidential Computing is required for your region, please reference the [Confidential Computing](https://learn.microsoft.com/azure/confidential-computing/overview) page for the latest information on availability.*
e.g.: westeurope | all, platform, dashboard | | 8 | `Required` parAllowedLocations | Full list of Azure regions allowed by policy where resources can be deployed that should include at least the `parDeploymentLocation`. | An array of values (Azure regions).
e.g.: ["eastus2", "westeurope"] | all, compliance | | 9 | `Required` parAllowedLocationsForConfidentialComputing | Full list of Azure regions allowed by policy where Confidential computing resources can be deployed. This may be a completely different list from `parAllowedLocations`. | An array of values (Azure regions).
e.g.: ["eastus2", "westeurope"] | all, compliance | @@ -46,7 +46,7 @@ This section contains descriptions and accepted values for all parameters within | 27 | parExpressRouteGatewayConfig | Optional configuration options for the ExpressRoute Gateway. | ExpressRoute Gateway Configuration

Sample Format:
{
"sku": "standard",
"vpntype": "RouteBased",
"vpnGatewayGeneration": null,
"enableBgp": false,
"activeActive": false,
"enableBgpRouteTranslationForNat": false,
"enableDnsForwarding": false,
"asn": 65515,
"bgpPeeringAddress": "",
"peerWeight": 5
} | all, platform | | 28 | parVpnGatewayConfig | Optional configuration options for the VPN Gateway. | VPN Gateway Configuration

Sample Format:
{
"sku": "VpnGw1",
"vpntype": "RouteBased",
"generation": "Generation1",
"enableBgp": false,
"activeActive": false,
"enableBgpRouteTranslationForNat": false,
"enableDnsForwarding": false,
"asn": 65515,
"bgpPeeringAddress": "",
"peerWeight": 5
} | all, platform | | 29 | parDeployBastion | Toggles deployment of Azure Bastion. True to deploy, otherwise false. | true; false | all, platform | - | 30 | parLandingZoneMgChildren | Optional array of child management groups to deploy under the SLZ Preview Landing Zones management group. | Sample Format: [{"id": "mymg", "displayName": "My MG display name"}] | all, bootstrap | + | 30 | parLandingZoneMgChildren | Optional array of child management groups to deploy under the SLZ Landing Zones management group. | Sample Format: [{"id": "mymg", "displayName": "My MG display name"}] | all, bootstrap | | 31 | parDeployAlzDefaultPolicies | Toggles assignment of ALZ policies. True to deploy, otherwise false. | true; false | all, compliance | | 32 | parAutomationAccountName | Optional resource name for an existing Azure Automation account with usage enforced by ALZ policies. | Automation Account name
e.g.: slz-managed-identity-westus21 | all, compliance | | 33 | parPrivateDnsResourceGroupId | Optional resource ID of the Azure Resource Group that contains the Private DNS Zones with usage enforced by ALZ policies. | Resource Group ID
e.g.: /subscriptions/{subId}/resourceGroups/slz-rg-hub-network-westus2 | all, compliance | @@ -54,13 +54,13 @@ This section contains descriptions and accepted values for all parameters within | 35 | parBastionOutboundSshRdpPorts | Array of outbound destination ports and ranges for Azure Bastion. | An array of values (ports)
e.g.: ["22", "3389"] | all, platform | | 36 | parInvokePolicyScanSync | Toggles executing the policy scan in synchronous mode. True to run policy scan in synchronous mode, False for asynchronous. When set to false, policy remediation needs to be manually triggered once the scan is complete. Note that when policy scan is run asynchronously, there isn't a way to track its progress. | true; false | all, compliance | | 37 | parInvokePolicyRemediationSync | Toggles executing the policy scan in synchronous mode. True to run policy remediation in synchronous mode, False for asynchronous. | true; false | all, compliance | - | 38 | parPolicyEffect | The policy effect used in all assignments for the Sovereignty Policy Baseline. | Choose one: "Audit", "Deny", "Disabled", "DeployIfNotExists", "Modify", "Append", "AuditIfNotExists" | all, compliance | + | 38 | parPolicyEffect | The policy effect used in all assignments for the Sovereignty Baseline policy initiatives. | Choose one: "Audit", "Deny", "Disabled" | all, compliance | | 39 | parDeployLogAnalyticsWorkspace | Toggles deployment of Log Analytics Workspace. True to deploy, otherwise false. | true; false | all, platform | - | 40 | parCustomerPolicySets | Customer specified policy assignments to the top-level management group of the SLZ Preview. No parameters are supported as part of the assignment. | Name field can only be a letter, digit, '-', '.' or '_' and cannot have any trailing special character.
See the SLZ Preview parameter file for a sample configuration. | all, compliance | - | 41 | parTags | Tags that will be assigned to subscription and resources created by this deployment script. | See the SLZ Preview parameter file for a sample configuration. | all, bootstrap, platform, and dashboard | + | 40 | parCustomerPolicySets | Customer specified policy assignments to the top-level management group of the SLZ. No parameters are supported as part of the assignment. | Name field can only be a letter, digit, '-', '.' or '_' and cannot have any trailing special character.
See the SLZ parameter file for a sample configuration. | all, compliance | + | 41 | parTags | Tags that will be assigned to subscription and resources created by this deployment script. | See the SLZ parameter file for a sample configuration. | all, bootstrap, platform, and dashboard | ## Next step -[Deploy the Sovereign Landing Zone Preview](08-Deploy-SLZ-Preview.md) +[Deploy the Sovereign Landing Zone](08-Deploy-SLZ.md) -### [Preview Notice](./PREVIEW.md) +### [Microsoft Legal Notice](./NOTICE.md) diff --git a/docs/08-Deploy-SLZ-Preview.md b/docs/08-Deploy-SLZ.md similarity index 91% rename from docs/08-Deploy-SLZ-Preview.md rename to docs/08-Deploy-SLZ.md index e4c81d4..8c79e4c 100644 --- a/docs/08-Deploy-SLZ-Preview.md +++ b/docs/08-Deploy-SLZ.md @@ -1,4 +1,4 @@ -# Deploy the Sovereign Landing Zone Preview using the PowerShell script +# Deploy the Sovereign Landing Zone using the PowerShell script **Prerequisite:** Please be sure to follow the steps in [Permissions and Tooling](05-Permissions-Tooling.md) to ensure latest tools are installed and the right permissions levels are available. @@ -19,4 +19,4 @@ Please reference [Frequently Asked Questions](12-FAQ.md) for commons errors and [Deploy Customize Policies](09-Customize-Policies.md) -### [Preview Notice](./PREVIEW.md) +### [Microsoft Legal Notice](./NOTICE.md) diff --git a/docs/09-Customize-Policies.md b/docs/09-Customize-Policies.md index a9fd999..37694b9 100644 --- a/docs/09-Customize-Policies.md +++ b/docs/09-Customize-Policies.md @@ -1,15 +1,15 @@ # Customize and configure policies -A default installation of the SLZ Preview will come with the Sovereignty Policy Baseline deployed with a `Deny` effect and all the ALZ Polices assigned. However, it is common for organizations to customize and configure policies further to meet their governance requirements. Details on how to achieve this can be found in one of the following areas: +A default installation of the SLZ will come with the Sovereignty Baseline policy initiatives deployed with a `Deny` effect and all the ALZ Policies assigned. However, it is common for organizations to customize and configure policies further to meet their governance requirements. Details on how to achieve this can be found in one of the following areas: -1. Review the [Sovereignty Policy Baseline](scenarios/Sovereignty-Policy-Baseline.md) page for more details about configuring the baseline. +1. Review the [Sovereignty Baseline policy initiatives](scenarios/Sovereignty-Baseline-Policy-Initiatives.md) page for more details about configuring the baseline. 2. Review the [ALZ Policies](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies) page and links within that page for more details about policy governance within the landing zone, and review the [Microsoft Cloud Security Benchmark](https://aka.ms/azsecbm) documentation for details about best security practices. * The Microsoft Cloud Security Benchmark are part of the ALZ Policy initiatives. -3. Review the [Policy Portfolio](scenarios/Using-Policy-Portfolio.md) page for more details about using one of the initiatives within the portfolio or how any built-in policy initiatives can be used. +3. Review the [Microsoft Cloud for Sovereignty policy portfolio](scenarios/Using-Policy-Portfolio.md) page for more details about using one of the initiatives within the portfolio or how any built-in policy initiatives can be used. 4. Review the [Custom Policies](scenarios/Custom-Policies.md) page for more details about deploying other organization-specific custom policies. ## Next step [View your compliance dashboard.](10-Compliance-Dashboard.md) -### [Preview Notice](./PREVIEW.md) +### [Microsoft Legal Notice](./NOTICE.md) diff --git a/docs/10-Compliance-Dashboard.md b/docs/10-Compliance-Dashboard.md index 2862486..e1594ae 100644 --- a/docs/10-Compliance-Dashboard.md +++ b/docs/10-Compliance-Dashboard.md @@ -2,23 +2,23 @@ ## Overview -[Sovereign Landing Zone Preview Compliance Dashboard](https://portal.azure.com/#dashboard) provides customers with a singular page that aggregates various Azure policy compliance views and queries to show an overview of their resource compliance. Customers can get insight into this resource-level compliance against the baseline policies deployed with the SLZ Preview as well as additional custom compliance that has been deployed. +[Sovereign Landing Zone Compliance Dashboard](https://portal.azure.com/#dashboard) provides customers with a singular page that aggregates various Azure policy compliance views and queries to show an overview of their resource compliance. Customers can get insight into this resource-level compliance against the baseline policies deployed with the SLZ as well as additional custom compliance that has been deployed. -The [Sovereign Landing Zone Preview Compliance Dashboard](https://portal.azure.com/#dashboard) can be accessed in the Shared Dashboards section of the Azure Portal. The naming convention follows the pattern `${parDeploymentPrefix}-Sovereign-Landing-Zone-Dashboard-Preview-${parDeploymentLocation}`, utilizing the parameters provided during deployment. +The [Sovereign Landing Zone Compliance Dashboard](https://portal.azure.com/#dashboard) can be accessed in the Shared Dashboards section of the Azure Portal. The naming convention follows the pattern `${parDeploymentPrefix}-Sovereign-Landing-Zone-Dashboard-${parDeploymentLocation}`, utilizing the parameters provided during deployment. ## Dashboard Tiles -The compliance dashboard is customizable and [can be extended](scenarios/Extending-Compliance-Dashboard.md) as needed. The tiles that are deployed as part of the baseline SLZ Preview are described below. Note that resources deployed within the portal may create multiple internal resources or components that are tracked separately by the compliance score. This notion is shared across all tiles, so the total count numbers displayed for compliance may be different from the total resource count number. +The compliance dashboard is customizable and [can be extended](scenarios/Extending-Compliance-Dashboard.md) as needed. The tiles that are deployed as part of the baseline SLZ are described below. Note that resources deployed within the portal may create multiple internal resources or components that are tracked separately by the compliance score. This notion is shared across all tiles, so the total count numbers displayed for compliance may be different from the total resource count number. | Key | Tiles | Description | |-----|--------|-------------| -| 1 | Overall resources compliance score | Indicates the number of resources in the SLZ Preview top-level management group are compliant with all policies applied within the SLZ Preview. This calculation is also inclusive of the policies and initiatives assigned by the customer. | -| 2 | Overall data residency compliance score | Indicates the number of resources in the SLZ Preview top-level management group that are compliant with data residency policies applied within the SLZ Preview. | -| 3 | Overall confidential compliance score | Indicates the number of resources in the SLZ Preview top-level management group are compliant with encryption policies meant to keep data confidential and encrypted from Microsoft as the cloud operator. Note that resources of a valid SKU do not contribute to the total resource count by design: [Update in Policy Compliance for Resource Type Policies](https://azure.microsoft.com/updates/general-availability-update-in-policy-compliance-for-resource-type-policies/) | +| 1 | Overall resources compliance score | Indicates the number of resources in the SLZ top-level management group are compliant with all policies applied within the SLZ. This calculation is also inclusive of the policies and initiatives assigned by the customer. | +| 2 | Overall data residency compliance score | Indicates the number of resources in the SLZ top-level management group that are compliant with data residency policies applied within the SLZ. | +| 3 | Overall confidential compliance score | Indicates the number of resources in the SLZ top-level management group are compliant with encryption policies meant to keep data confidential and encrypted from Microsoft as the cloud operator. Note that resources of a valid SKU do not contribute to the total resource count by design: [Update in Policy Compliance for Resource Type Policies](https://azure.microsoft.com/updates/general-availability-update-in-policy-compliance-for-resource-type-policies/) | | 4 | Resource compliance by state | Number of resources that are in each compliance state as evaluated by Azure Policy. | | 5 | Resource compliance percentage by subscription | Resource compliance percentage for each subscription that has applicable resources under it. This count also includes compliance reports for resource group and subscription compliance. | | 6 | Resource compliance percentage by policy initiative | Resource compliance percentage for each policy initiative that has applicable resources under it. Supports custom initiatives if the policy initiative is being applied to applicable resources. This count also includes compliance reports for resource group and subscription compliance. | -| 7 | Resource compliance percentage by policy group | Resource compliance percentage for each policy group (prefixed with dashboard-) that has applicable resources enumerated as a policy group in the SLZ Preview bicep. The calculations on this tile cannot be directly verified via the Azure Policy section of Azure portal. | +| 7 | Resource compliance percentage by policy group | Resource compliance percentage for each policy group (prefixed with dashboard-) that has applicable resources enumerated as a policy group in the SLZ bicep. The calculations on this tile cannot be directly verified via the Azure Policy section of Azure portal. | | 8 | Non-Compliant and exempt resources | Non-compliant and exempt resources as well as relevant information to act against those resources. Resources within the Confidential Corp and Confidential Online Management Groups are expected to be exempt from the Allowed locations policy within the SlzGlobalPolicies initiative as the Allowed locations policy within the SlzConfidentialPolicies initiative supersedes this. | | 9 | Non-compliant resources by location | Resources that are in regions outside of the custom defined safe regions list. The tile will only show resources that are in locations which are not allowed by the data residency policy. Currently, we have 1 data resident policy (Allowed locations). To view the data please verify there are resources present beyond the safe regions supported by the data resident policy. | | 10| Resource exempt from data residency policies | Resources that have been made exempt to data residence policies with actionable information. Resources within the Confidential Corp and Confidential Online Management Groups are expected to be exempt from the Allowed locations policy within the SlzGlobalPolicies initiative as the Allowed locations policy within the SlzConfidentialPolicies initiative supersedes this. | @@ -34,4 +34,4 @@ The compliance dashboard is customizable and [can be extended](scenarios/Extendi [Conclusion](11-Conclusion.md) -## [Preview Notice](./PREVIEW.md) +## [Microsoft Legal Notice](./NOTICE.md) diff --git a/docs/11-Conclusion.md b/docs/11-Conclusion.md index 9569c73..94513ed 100644 --- a/docs/11-Conclusion.md +++ b/docs/11-Conclusion.md @@ -2,10 +2,10 @@ ## Congratulations -You have successfully deployed the Sovereign Landing Zone Preview. +You have successfully deployed the Sovereign Landing Zone. -You can now improve upon on your [compliance policies](09-Customize-Policies.md) as needed and view the results in your [dashboard](10-Compliance-Dashboard.md). View how to [deploy platform or application landing zones](scenarios/Landing-Zone-Vending.md) to host your workloads within the SLZ Preview for common next steps. +You can now improve upon on your [compliance policies](09-Customize-Policies.md) as needed and view the results in your [dashboard](10-Compliance-Dashboard.md). View how to [deploy platform or application landing zones](scenarios/Landing-Zone-Vending.md) to host your workloads within the SLZ for common next steps. -Visit our [Frequently Asked Questions](12-FAQ.md) page for common queries or [Scenarios](scenarios/README.md) for common post-deployment operations. Log a [GitHub Issue](https://github.com/Azure/sovereign-landing-zone/issues) for any problems you are encountering getting started with or managing your SLZ Preview deployment. +Visit our [Frequently Asked Questions](12-FAQ.md) page for common queries or [Scenarios](scenarios/README.md) for common post-deployment operations. Log a [GitHub Issue](https://github.com/Azure/sovereign-landing-zone/issues) for any problems you are encountering getting started with or managing your SLZ deployment. -## [Preview Notice](./PREVIEW.md) +## [Microsoft Legal Notice](./NOTICE.md) diff --git a/docs/12-FAQ.md b/docs/12-FAQ.md index 90bfdda..bea8de0 100644 --- a/docs/12-FAQ.md +++ b/docs/12-FAQ.md @@ -1,18 +1,18 @@ -# Sovereign Landing Zone Preview - Frequently Asked Questions +# Sovereign Landing Zone - Frequently Asked Questions -This document answers the most common questions related to the Sovereign Landing Zone Preview deployment and modules. +This document answers the most common questions related to the Sovereign Landing Zone deployment and modules. To report issues or get support, please submit a ticket through [GitHub Issues](https://github.com/Azure/sovereign-landing-zone/issues) or review the [troubleshooting docs](./13-Troubleshooting.md). -## Sovereign Landing Zone Preview +## Sovereign Landing Zone ### Why use Bicep over Terraform? -There are a wide variety of deployment technologies available for customers to choose from and Terraform is commonly used to simplify operations especially for organizations that are multi-cloud. Bicep was selected as the first deployment technology to use for the SLZ Preview, and we will endeavor to support additional languages based upon customer need. Submit a [feature request](https://github.com/Azure/sovereign-landing-zone/issues) to let us know which ones are important for you! +There are a wide variety of deployment technologies available for customers to choose from and Terraform is commonly used to simplify operations especially for organizations that are multi-cloud. Bicep was selected as the first deployment technology to use for the SLZ, and we will endeavor to support additional languages based upon customer need. Submit a [feature request](https://github.com/Azure/sovereign-landing-zone/issues) to let us know which ones are important for you! -### Is SLZ Preview an Application / Workload? +### Is SLZ an Application / Workload? -The SLZ Preview is not an application, but rather simplifies the process for deploying or migrating an application to Azure. For more details about landing zones and how they support Azure adoption, review the [Cloud Adoption Framework](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/) docs on this subject. +The SLZ is not an application, but rather simplifies the process for deploying or migrating an application to Azure. For more details about landing zones and how they support Azure adoption, review the [Cloud Adoption Framework](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/) docs on this subject. ## Permissions and Tooling @@ -20,7 +20,7 @@ The SLZ Preview is not an application, but rather simplifies the process for dep The specific steps vary depending on the Azure Account type you are using. For more information visit the [Create Azure subscriptions programmatically](https://learn.microsoft.com/azure/cost-management-billing/manage/programmatically-create-subscription), which describes everything required to create subscriptions for each Azure Account type. -### Why do I need elevated permissions to deploy the Sovereign Landing Zone Preview? +### Why do I need elevated permissions to deploy the Sovereign Landing Zone? This permission is no longer needed, but can be useful for organizations that are getting started with Azure. For more details about permissions review the docs on the [current recommended permissions](./05-Permissions-Tooling.md) or [reduced permission sets required](./scenarios/Piloting-SLZ.md). @@ -51,9 +51,9 @@ Check [Permissions and Tooling](/docs/05-Permissions-Tooling.md) for more inform ### Why are the scripts using the wrong user? -For individuals that have multiple accounts, it may happen that an unexpected account is currently active causing the SLZ Preview to use it for deployments. This can be resolved by running `Disconnect-AzAccount` in PowerShell to logout, then running `Connect-AzAccount` to log back in with the right account. +For individuals that have multiple accounts, it may happen that an unexpected account is currently active causing the SLZ to use it for deployments. This can be resolved by running `Disconnect-AzAccount` in PowerShell to logout, then running `Connect-AzAccount` to log back in with the right account. -## Deploying the Sovereign Landing Zone Preview +## Deploying the Sovereign Landing Zone ### Why did my deployment pause in PowerShell? @@ -61,7 +61,7 @@ This could be due to a left mouse click in the PowerShell window, causing the wi ### Why is the script retrying and failing even after I have confirmed that I have the right permissions? -It may take several hours for billing permissions required to setup or use a billing scope to go into effect, during which point the SLZ Preview will not be deployable. Please run the `Confirm-SovereignLandingZonePrerequisites.ps1` script, and wait around 4 hours before retrying the deployment. +It may take several hours for billing permissions required to setup or use a billing scope to go into effect, during which point the SLZ will not be deployable. Please run the `Confirm-SovereignLandingZonePrerequisites.ps1` script, and wait around 4 hours before retrying the deployment. ### When running the deployment script, I get a "DeploymentFailed" error with the description "The aggregated deployment error is too large. Please list deployment operations to get the deployment details. Please see `https://aka.ms/DeployOperations` for usage details." How do I fix this?** @@ -69,7 +69,7 @@ Please re-try running the script to fix this error. Log an Issue if the problem ### Why am I getting a "deployment already exists" error? -This commonly because a previous SLZ preview deployment shared the same prefix and suffix. You'll need to clean up the old deployment if you want to reuse the prefix and suffix set. +This commonly because a previous SLZ deployment shared the same prefix and suffix. You'll need to clean up the old deployment if you want to reuse the prefix and suffix set. This can be accomplished by running the `Remove-AzDeployment` command in PowerShell. For Azure CLI, use the `az deployment tenant delete -n ` or `az deployment mg delete -management-group-id --name` commands. @@ -77,11 +77,11 @@ This can be accomplished by running the `Remove-AzDeployment` command in PowerSh ### Why am I getting a "Subscription Alias Already Exist" error? -This commonly because a previous SLZ preview deployment shared the same prefix and suffix. See the `Why am I getting a "deployment already exists" error?` FAQ for resolution steps. +This commonly because a previous SLZ deployment shared the same prefix and suffix. See the `Why am I getting a "deployment already exists" error?` FAQ for resolution steps. ### I am getting a 'ReferencedResourceNotProvisioned' error. How do I resolve this? -If you encounter this error, it is likely due to a transient issue with resource availability. The SLZ Preview deployment script has retry logic to resolve these types of issues, but it may be necessary to rerun the SLZ Preview deployment script if the script terminates. +If you encounter this error, it is likely due to a transient issue with resource availability. The SLZ deployment script has retry logic to resolve these types of issues, but it may be necessary to rerun the SLZ deployment script if the script terminates. If it is a viable option, you can attempt deployment to a different region. @@ -98,7 +98,7 @@ This error is likely to occur if the subscriptions being created in the Bootstra ### What are the allowed Azure resource types for confidential management groups (Confidential Corp and Confidential Online)? -For an overview of confidential computing resources in Azure please refer to this [documentation.](https://learn.microsoft.com/azure/confidential-computing/overview-azure-products) The list used by the SLZ Preview can be found [here](../modules/compliance/policyAssignments/policy_assignment_deploy_slz_confidential_defaults.tmpl.json), and the list can be customized to meet an organization's needs. +For an overview of confidential computing resources in Azure please refer to this [documentation.](https://learn.microsoft.com/azure/confidential-computing/overview-azure-products) The list used by the SLZ can be found [here](../modules/compliance/policyAssignments/policy_assignment_deploy_slz_confidential_defaults.tmpl.json), and the list can be customized to meet an organization's needs. ### What information should I consider removing from my failed deployment details logs? @@ -133,7 +133,7 @@ Please reference the Microsoft Learn document that addresses [common Azure deplo ### Why am I getting an error message stating `Account already exists in another resourcegroup in a subscription` -This commonly happens with Private Preview customers attempting to upgrade to the Public Preview version. For more details look at our [upgrade documentation](./06-Upgrade-Existing-SLZ-Preview.md). +This commonly happens with Private Preview customers attempting to upgrade to the current release version. For more details look at our [upgrade documentation](./06-Upgrade-Existing-SLZ-Preview.md). ### Why do I keep getting an error message stating creating the deployment will exceed the quota of '800'? @@ -184,14 +184,14 @@ While it's recommended to wait for Azure to automatically clean up the deploymen } ``` -### Can I Use a Managed Identity / Service Principal to Deploy the SLZ Preview? +### Can I Use a Managed Identity / Service Principal to Deploy the SLZ? Yes, provided this identity has been successfully authenticated prior to initiating the deployment such as through an `az login` command. The `New-SovereignLandingZone.ps1` script has two relevant CLI parameters that should be used: * *parDeployment*: Default `null`. This parameter specifies the deployment type so it doesn't need to be typed in manually. * *parAttendedLogin*: Default `$true`. This parameter tells the script to perform various login and validation steps that are not necessary when using a managed identity. -A managed identity with appropriate permissions and running in a context with all necessary modules installed can deploy the SLZ Preview through a command such as this: +A managed identity with appropriate permissions and running in a context with all necessary modules installed can deploy the SLZ through a command such as this: ``` .\New-SovereignLandingZone.ps1 -parDeployment all -parAttendedLogin $false @@ -201,11 +201,11 @@ Reference our [pipeline deployments](./scenarios/Pipeline-Deployments.md) docume ### Can I Choose which Parameter File to Use? -Yes, for many organizations with multiple SLZ Preview deployments it is advisable to minimize operational activities by creating a new parameter file for each SLZ Preview deployment. The `New-SovereignLandingZone.ps1` script has one relevant CLI parameter that should be used: +Yes, for many organizations with multiple SLZ deployments it is advisable to minimize operational activities by creating a new parameter file for each SLZ deployment. The `New-SovereignLandingZone.ps1` script has one relevant CLI parameter that should be used: * *parParametersFilePath*: Default `.\parameters\sovereignLandingZone.parameters.json`. This is the relative path from the `New-SovereignLandingZone.ps1` script to the parameter file. -An organization with multiple SLZ Preview deployments each with a unique parameter file in the local parameters directory can manage a new deployment through a command such as this: +An organization with multiple SLZ deployments each with a unique parameter file in the local parameters directory can manage a new deployment through a command such as this: ``` .\New-SovereignLandingZone.ps1 -parParametersFilePath .\parameters\testSLZ.parameters.json @@ -219,4 +219,4 @@ Reference our [pipeline deployments](./scenarios/Pipeline-Deployments.md) docume You will need to assign an Azure `Reader` role the user at the top-level management group scope. Please follow instructions here on how to add an Azure role: [Azure Role Based Access Control](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal) -## [Preview Notice](./PREVIEW.md) +## [Microsoft Legal Notice](./NOTICE.md) diff --git a/docs/13-Troubleshooting.md b/docs/13-Troubleshooting.md index f306511..e031963 100644 --- a/docs/13-Troubleshooting.md +++ b/docs/13-Troubleshooting.md @@ -1,42 +1,42 @@ # Troubleshooting -If you are running into issues with your SLZ Preview deployment, review the common troubleshooting topic here or common questions in the [FAQ](./12-FAQ.md). If neither of these resolve your issue, please reach out for assistance through your standard support process or file a [GitHub issue](https://github.com/Azure/sovereign-landing-zone/issues) with us. +If you are running into issues with your SLZ deployment, review the common troubleshooting topic here or common questions in the [FAQ](./12-FAQ.md). If neither of these resolve your issue, please reach out for assistance through your standard support process or file a [GitHub issue](https://github.com/Azure/sovereign-landing-zone/issues) with us. ## Determining Deployment Steps -When a user creates or updates the SLZ Preview, they will execute the `/orchestration/scripts/New-SovereignLandingZone.ps1` script. This script has a required `parDeployment` parameter, but it will also prompt the user to select if not provided. Review the [deployment overview](./03-Deployment-Overview.md) doc for more information about deployment steps. +When a user creates or updates the SLZ, they will execute the `/orchestration/scripts/New-SovereignLandingZone.ps1` script. This script has a required `parDeployment` parameter, but it will also prompt the user to select if not provided. Review the [deployment overview](./03-Deployment-Overview.md) doc for more information about deployment steps. Any time the user should be informed of a specific log, that log will start with `>>>` including when a deployment step is beginning or ending. When an error occurs, the current deployment step will be the last deployment step printed in the logs. The screenshot below shows an example for the bootstrap deployment step. -![SLZ Preview Deployment Step in Logs](images/determine-deployment-steps.png) +![SLZ Deployment Step in Logs](images/determine-deployment-steps.png) ## Determining Error from the Error Message When an error occurs, the error message will most often be presented in a human readable format in red text, with the relevant details being contained within the `Status Message` field as seen below or in a generic `Message` field. -![SLZ Preview Error in Logs](images/determine-error-message.png) +![SLZ Error in Logs](images/determine-error-message.png) ## Bootstrap Errors ### User is not authorized to create subscriptions on this enrollment account. -This error means that the SLZ Preview parameter `parSubscriptionBillingScope` value is not valid. Refer to the [permissions setup](./05-Permissions-Tooling.md) doc for more details about the permissions required for your Azure Agreement type. +This error means that the SLZ parameter `parSubscriptionBillingScope` value is not valid. Refer to the [permissions setup](./05-Permissions-Tooling.md) doc for more details about the permissions required for your Azure Agreement type. -Once a valid value is provided, rerun the SLZ Preview deployment. +Once a valid value is provided, rerun the SLZ deployment. ### The provided location [LOCATION] is not available for deployment. -This error means that the SLZ Preview parameter `parDeploymentLocation` value is referring to a region that the user does not have permissions to use. This is commonly the case when there is a typo in this value. +This error means that the SLZ parameter `parDeploymentLocation` value is referring to a region that the user does not have permissions to use. This is commonly the case when there is a typo in this value. -Once a valid value is provided, rerun the SLZ Preview deployment. +Once a valid value is provided, rerun the SLZ deployment. ### Invalid deployment location [LOCATION]. The deployment [DEPLOYMENT NAME] already exists in location [OTHER LOCATION]. -This error commonly means that the `parDeploymentLocation` value has been changed when trying to update an existing SLZ Preview deployment, or that the `parDeploymentPrefix` and `parDeploymentSuffix` value pair is already being used by an existing SLZ Preview deployment. +This error commonly means that the `parDeploymentLocation` value has been changed when trying to update an existing SLZ deployment, or that the `parDeploymentPrefix` and `parDeploymentSuffix` value pair is already being used by an existing SLZ deployment. -If you are attempting to move the SLZ Preview deployment, you will need to instead create a new SLZ Preview deployment with a unique `parDeploymentPrefix` and `parDeploymentSuffix` value pair as Azure resources in general cannot be moved. +If you are attempting to move the SLZ deployment, you will need to instead create a new SLZ deployment with a unique `parDeploymentPrefix` and `parDeploymentSuffix` value pair as Azure resources in general cannot be moved. -If an existing SLZ Preview deployment is already using the `parDeploymentPrefix` and `parDeploymentSuffix` value pair, you will need to select a new value for one or both of those parameters. Once a valid set of values are provided, rerun the SLZ Preview deployment. +If an existing SLZ deployment is already using the `parDeploymentPrefix` and `parDeploymentSuffix` value pair, you will need to select a new value for one or both of those parameters. Once a valid set of values are provided, rerun the SLZ deployment. ## Platform Errors @@ -44,18 +44,20 @@ If an existing SLZ Preview deployment is already using the `parDeploymentPrefix` This error commonly occurs when the subnet CIDR range for one of the subnets is outside the hub VNET CIDR range. You will need to review the `parHubNetworkAddressPrefix`, `parAzureBastionSubnet`, `parGatewaySubnet`, `parAzureFirewallSubnet`, and `parCustomSubnets` parameters to ensure there are no overlaps and all subnet ranges are within the hub VNET CIDR range. -Once valid values are provided for the hub VNET and subnets, rerun the SLZ Preview deployment. +Once valid values are provided for the hub VNET and subnets, rerun the SLZ deployment. ### Resource [LOG ANALYTICS WORKSPACE RESOURCE OR SOLUTION ID] was disallowed by policy. -This error means that the SLZ Global Defaults policy assignment has been configured to block the `parDeploymentLocation`. This commonly occurs when trying to update an existing SLZ Preview deployment. You will need to review the `parAllowedLocations` array to ensure it contains the `parDeploymentLocation` value. +This error means that the SLZ Global Defaults policy assignment has been configured to block the `parDeploymentLocation`. This commonly occurs when trying to update an existing SLZ deployment. You will need to review the `parAllowedLocations` array to ensure it contains the `parDeploymentLocation` value. -Once a valid value is provided, run the SLZ Preview compliance deployment step to update the policy assignment, then rerun the SLZ Preview deployment. This error is related to the other ones where policy is blocking the resource. +Once a valid value is provided, run the SLZ compliance deployment step to update the policy assignment, then rerun the SLZ deployment. This error is related to the other ones where policy is blocking the resource. ## Dashboard Errors ### Resource [DASHBOARD RESOURCE GROUP NAME] was disallowed by policy. -This error means that the SLZ Global Defaults policy assignment has been configured to block the `parDeploymentLocation`. This commonly occurs when trying to create a new SLZ Preview deployment. You will need to review the `parAllowedLocations` array to ensure it contains the `parDeploymentLocation` value. +This error means that the SLZ Global Defaults policy assignment has been configured to block the `parDeploymentLocation`. This commonly occurs when trying to create a new SLZ deployment. You will need to review the `parAllowedLocations` array to ensure it contains the `parDeploymentLocation` value. -Once a valid value is provided, run the SLZ Preview compliance deployment step to update the policy assignment, then rerun the SLZ Preview deployment. This error is related to the other ones where policy is blocking the resource. +Once a valid value is provided, run the SLZ compliance deployment step to update the policy assignment, then rerun the SLZ deployment. This error is related to the other ones where policy is blocking the resource. + +## [Microsoft Legal Notice](./NOTICE.md) diff --git a/docs/NOTICE.md b/docs/NOTICE.md new file mode 100644 index 0000000..0635593 --- /dev/null +++ b/docs/NOTICE.md @@ -0,0 +1,3 @@ +# Microsoft Legal Notice + +The **Sovereign Landing Zone** (1) is not designed, intended, or made available as legal services, (2) is not intended to substitute for professional legal counsel or judgment, and (3) should not be used in place of consulting with a qualified professional legal professional for your specific needs. Microsoft makes no warranty that the **Sovereign Landing Zone** is accurate, up-to-date, or complete. You are wholly responsible for ensuring your own compliance with all applicable laws and regulations. diff --git a/docs/PREVIEW.md b/docs/PREVIEW.md deleted file mode 100644 index a0faa1f..0000000 --- a/docs/PREVIEW.md +++ /dev/null @@ -1,3 +0,0 @@ -# Preview Notice - -**Preview Terms**. The Sovereign Landing Zone Preview (the "PREVIEW") is licensed to you as part of your [Azure subscription](https://azure.microsoft.com/en-us/support/legal/) and subject to terms applicable to "Previews" as detailed in the Universal License Terms for Online Services section of the Microsoft Product Terms and the [Microsoft Products and Services Data Protection Addendum ("DPA")](https://www.microsoft.com/licensing/terms/welcome/welcomepage). AS STATED IN THOSE TERMS, PREVIEWS ARE PROVIDED "AS-IS," "WITH ALL FAULTS," AND "AS AVAILABLE," AND ARE EXCLUDED FROM THE SERVICE LEVEL AGREEMENTS AND LIMITED WARRANTY. Previews may employ lesser or different privacy and security measures than those typically present in Azure Services. Unless otherwise noted, you should not use Previews to process Personal Data or other data that is subject to legal or regulatory compliance requirements. The following terms in the [DPA](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) do not apply to Previews: Processing of Personal Data; GDPR, Data Security, and HIPAA Business Associate. We may change or discontinue Previews at any time without notice. We also may choose not to release a Preview into General Availability. diff --git a/docs/scenarios/Custom-Policies.md b/docs/scenarios/Custom-Policies.md index ee215e1..e7cc3d3 100644 --- a/docs/scenarios/Custom-Policies.md +++ b/docs/scenarios/Custom-Policies.md @@ -1,13 +1,13 @@ # Customize baseline policies -Once the SLZ Preview is deployed, the management group structure, subscriptions, and the [sovereignty policy baseline](Sovereignty-Policy-Baseline.md) will be in place. While the baseline can be configured, it may be necessary to apply additional policies to address local laws and regulations. Review the [Microsoft Cloud for Sovereignty Policy Portfolio](https://github.com/Azure/cloud-for-sovereignty-policy-portfolio) for policies that support specific regulations, or follow the below steps to deploy your own policies alongside the SLZ Preview. +Once the SLZ is deployed, the management group structure, subscriptions, and the [Sovereignty Baseline policy initiatives](Sovereignty-Baseline-Policy-Initiatives.md) will be in place. While the baseline can be configured, it may be necessary to apply additional policies to address local laws and regulations. Review the [Microsoft Cloud for Sovereignty policy portfolio](https://github.com/Azure/cloud-for-sovereignty-policy-portfolio) for policies that support specific regulations, or follow the below steps to deploy your own policies alongside the SLZ. ## Customization step by step -The SLZ Preview allows for custom policy initiatives to be deployed within the standard management group scopes for each deployment through the following: +The SLZ allows for custom policy initiatives to be deployed within the standard management group scopes for each deployment through the following: 1. Navigate to the custom policy definitions located in `/custom/policies/definitions` in your version of the GitHub repository. -2. Each definition corresponds to one of the default management group scopes deployed as part of the SLZ Preview management group hierarchy: +2. Each definition corresponds to one of the default management group scopes deployed as part of the SLZ management group hierarchy: * `slzConfidentialCustom.json` -> Confidential Corp and Confidential Online Management Groups * `slzConnectivityCustom.json` -> Connectivity Management Group * `slzCorpCustom.json` -> Corp and Confidential Corp Management Groups @@ -21,7 +21,7 @@ The SLZ Preview allows for custom policy initiatives to be deployed within the s * `slzSandboxCustom.json` -> Sandbox Management Group 3. Select the file for management group scope that you want custom policies to apply to and if you want to apply custom policies to all application workloads then select `slzLandingZoneCustom.json` 4. If custom policies have not been added yet, then the custom policy file will look like the screenshot below. Do NOT edit the `policyType`, `id`, `type`, or `name` fields. You will update the `parameters`, `policyDefinitions`, and `policyDefinitionGroups` as described by the [initiative definition structure](https://learn.microsoft.com/azure/governance/policy/concepts/initiative-definition-structure) -5. Grouping policies together on the [SLZ Preview dashboard](./Extending-Compliance-Dashboard.md) is accomplished by adding `dashboard-` to the beginning of the policy definition group name, but any name can be used. The documentation for the [policy set definition group structure](https://learn.microsoft.com/azure/governance/policy/concepts/initiative-definition-structure#policy-definition-groups) describes the group structure further. A valid policy definition group can be found below: +5. Grouping policies together on the [SLZ dashboard](./Extending-Compliance-Dashboard.md) is accomplished by adding `dashboard-` to the beginning of the policy definition group name, but any name can be used. The documentation for the [policy set definition group structure](https://learn.microsoft.com/azure/governance/policy/concepts/initiative-definition-structure#policy-definition-groups) describes the group structure further. A valid policy definition group can be found below: ``` { "name": "dashboard-NIST_SP_800-171_R2", @@ -31,7 +31,7 @@ The SLZ Preview allows for custom policy initiatives to be deployed within the s ``` 6. Passing values to the custom policy definitions is not currently supported. You can set default values in the definition file or in the assignment file (located in the `/custom/policies/assignments` folder) but you cannot pass in values from the orchestration script at this time. Documentation on the assignment structure and how to set parameters is located [here](https://learn.microsoft.com/azure/governance/policy/concepts/assignment-structure) 7. Once you have added the custom policies to the policy set file, you only need to save the file and run `.\New-SovereignLandingZone.ps1` with either the `all`, or `compliance` deployment step and your custom policies will be added and assigned to the appropriate management group scopes. -8. If you need to change a policy effect, you will need to make that change to the above definitions and redeploy the SLZ Preview as above. For documentation on how to set a policy effect please review the documentation [here](https://learn.microsoft.com/azure/governance/policy/concepts/effects) +8. If you need to change a policy effect, you will need to make that change to the above definitions and redeploy the SLZ as above. For documentation on how to set a policy effect please review the documentation [here](https://learn.microsoft.com/azure/governance/policy/concepts/effects) **Note** Custom policies will need to fit with the [Azure policy and policy rule limits](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-policy-limits) otherwise Azure will not create the definitions. @@ -39,4 +39,4 @@ The SLZ Preview allows for custom policy initiatives to be deployed within the s [View your compliance dashboard.](../10-Compliance-Dashboard.md) -### [Preview Notice](./PREVIEW.md) +### [Microsoft Legal Notice](../NOTICE.md) diff --git a/docs/scenarios/Expanding-SLZ-ManagementGroups.md b/docs/scenarios/Expanding-SLZ-ManagementGroups.md index 8defc5a..db1dc88 100644 --- a/docs/scenarios/Expanding-SLZ-ManagementGroups.md +++ b/docs/scenarios/Expanding-SLZ-ManagementGroups.md @@ -1,6 +1,6 @@ -# Adding New Management Group Scopes to the SLZ Preview +# Adding New Management Group Scopes to the SLZ -The SLZ Preview deploys a standard set of management groups that are used to organize resources and manage policy assignments. This set also has the following recommended usage patterns: +The SLZ deploys a standard set of management groups that are used to organize resources and manage policy assignments. This set also has the following recommended usage patterns: 1. [Connectivity](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-azure) - Used to host platform workloads that provide core networking capabilities 2. [Identity](https://learn.microsoft.com/azure/cloud-adoption-framework/decision-guides/identity/) - Used to host platform workloads that provide identity management, access, and syncing capabilities @@ -14,8 +14,10 @@ The SLZ Preview deploys a standard set of management groups that are used to org 8. [Sandbox](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/considerations/sandbox-environments) - Used to host isolated environments for testing workloads and capabilities 9. [Decommissioned](https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/migration-considerations/optimize/decommission) - Used to host workloads or capabilities that are retired, but still need to be retained -The policy assignments will provide guardrails designed to support these usage patterns with the [Sovereignty Policy Baseline](./Sovereignty-Policy-Baseline.md) enforcing confidential computing SKUs and if enabled the [ALZ policies](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies) focus on security best practices. +The policy assignments will provide guardrails designed to support these usage patterns with the [Sovereignty Baseline policy initiatives](./Sovereignty-Baseline-Policy-Initiatives.md) enforcing confidential computing SKUs and if enabled the [ALZ policies](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies) focus on security best practices. -As organizations use the SLZ Preview they may find it useful refine their management group structure to group workloads further or under different contexts. This can be achieved by using the `parLandingZoneMgChildren` parameter value to create more sibling management groups to the Corp, Online, and Confidential variants. +As organizations use the SLZ they may find it useful refine their management group structure to group workloads further or under different contexts. This can be achieved by using the `parLandingZoneMgChildren` parameter value to create more sibling management groups to the Corp, Online, and Confidential variants. Note that custom management groups will need to manage policy assignments to them as post-deployment steps. Further developments will improve upon this customization experience. + +### [Microsoft Legal Notice](../NOTICE.md) diff --git a/docs/scenarios/Extending-Compliance-Dashboard.md b/docs/scenarios/Extending-Compliance-Dashboard.md index 58582bc..a0f0e09 100644 --- a/docs/scenarios/Extending-Compliance-Dashboard.md +++ b/docs/scenarios/Extending-Compliance-Dashboard.md @@ -1,6 +1,6 @@ # Extending the Compliance Dashboard -The SLZ Preview [Compliance Dashboard](../10-Compliance-Dashboard.md) provides a singular Azure policy compliance view for every resource within the SLZ Preview deployment. While this is a great starting point for viewing the default and built-in policies assigned with the SLZ Preview, many governance teams want to also see their own policies in the same view. This can be achieved through a few ways. +The SLZ [Compliance Dashboard](../10-Compliance-Dashboard.md) provides a singular Azure policy compliance view for every resource within the SLZ deployment. While this is a great starting point for viewing the default and built-in policies assigned with the SLZ, many governance teams want to also see their own policies in the same view. This can be achieved through a few ways. ## Overall and Subscription Compliance Views @@ -16,6 +16,8 @@ The confidential computing views are created by filtering by compliance results ## Custom Tiles -When one of the above methods is not sufficient, additional tiles can be added to the SLZ Preview Compliance Dashboard by adding these to the [tiles JSON](../../custom/dashboard/compliance/tiles.json) file. This JSON file takes [Azure Portal Dashboard](https://learn.microsoft.com/azure/azure-portal/azure-portal-dashboards) tiles and will append them to the compliance dashboard. +When one of the above methods is not sufficient, additional tiles can be added to the SLZ Compliance Dashboard by adding these to the [tiles JSON](../../custom/dashboard/compliance/tiles.json) file. This JSON file takes [Azure Portal Dashboard](https://learn.microsoft.com/azure/azure-portal/azure-portal-dashboards) tiles and will append them to the compliance dashboard. Worth noting that the `position.y` value for tile elements will need to be lower than the y-values already used by the compliance dashboard otherwise tile elements could be missing or moved. Checkout the [tiles sample](../../custom/dashboard/compliance/tiles-sample.json) for an example of this extension. + +### [Microsoft Legal Notice](../NOTICE.md) diff --git a/docs/scenarios/Landing-Zone-Vending.md b/docs/scenarios/Landing-Zone-Vending.md index 19c88c8..5dee691 100644 --- a/docs/scenarios/Landing-Zone-Vending.md +++ b/docs/scenarios/Landing-Zone-Vending.md @@ -1,8 +1,8 @@ # Workload Landing Zones -After the SLZ Preview has been deployed, organizations can begin using it to host workloads. Workloads will need their own landing zones, and for more details about the types of landing zones review the [what is a landing zone](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/#platform-landing-zones-vs-application-landing-zones) documentation. +After the SLZ has been deployed, organizations can begin using it to host workloads. Workloads will need their own landing zones, and for more details about the types of landing zones review the [what is a landing zone](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/#platform-landing-zones-vs-application-landing-zones) documentation. -In short, the landing zone as deployed by the SLZ Preview provides the governance framework and controls that can simplify the onboarding of workload landing zones within it's management group structure. This means workload landing zones don't need to recreate common infrastructure such as a hub network as they may use the one that already exists, nor do they need to manage policy assignments as they'll inherent the ones already assigned. +In short, the landing zone as deployed by the SLZ provides the governance framework and controls that can simplify the onboarding of workload landing zones within it's management group structure. This means workload landing zones don't need to recreate common infrastructure such as a hub network as they may use the one that already exists, nor do they need to manage policy assignments as they'll inherent the ones already assigned. Workload landing zones require the creation of a subscription and placing it within the management group structure. While you may [customize the management groups](Expanding-SLZ-ManagementGroups.md) available, the following exist by default: @@ -20,7 +20,7 @@ Workload landing zones require the creation of a subscription and placing it wit [Subscription vending](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/subscription-vending) provides a platform mechanism for programmatically issuing subscriptions to application teams that need to deploy workloads. This notion allows for an organization's governance and security teams to build controls and a process around subscription creation, then application teams can request a new subscription for their workload on demand after making a few choices. -[Landing zone vending](https://github.com/Azure/bicep-lz-vending) is a GitHub repository provides the automation to deploy landing zones for workloads within the SLZ Preview. It is recommended for an organization's governance and security teams to review the parameters available in this module and enforce certain values for some, while leaving the others up to the requesting team to fill out. Once all values are added, then a pipeline running with a highly privileged account would create the landing zone and grant reduced permissions to the development team to deploy their workload within. +[Landing zone vending](https://github.com/Azure/bicep-lz-vending) is a GitHub repository provides the automation to deploy landing zones for workloads within the SLZ. It is recommended for an organization's governance and security teams to review the parameters available in this module and enforce certain values for some, while leaving the others up to the requesting team to fill out. Once all values are added, then a pipeline running with a highly privileged account would create the landing zone and grant reduced permissions to the development team to deploy their workload within. It is recommended to not allow a development team set the following values: @@ -39,9 +39,9 @@ It is recommended to allow a development to set the following values: However, organizations may customize these lists further and provide certain allowed values that a development team can request. -# SLZ Preview Logging +# SLZ Logging -To support usage of the landing zone vending module and [running individual deployment steps](Pipeline-Deployments.md), during every execution of the SLZ Preview key resources will be logged to a CSV file. These log files will be stored in `/orchestration/scripts/outputs` and will be timestamped with the deployment name in the title. +To support usage of the landing zone vending module and [running individual deployment steps](Pipeline-Deployments.md), during every execution of the SLZ key resources will be logged to a CSV file. These log files will be stored in `/orchestration/scripts/outputs` and will be timestamped with the deployment name in the title. The CSV file has the following columns: * Resource Name - The human readable resource name @@ -52,4 +52,6 @@ The CSV file has the following columns: # Workload Templates -Microsoft Cloud for Sovereignty has published a variety of [workload templates](https://github.com/Azure/cloud-for-sovereignty-quickstarts) including a sample application that are designed to be deployed within the SLZ Preview. These are useful resources to reference during the workload migration process. +Microsoft Cloud for Sovereignty has published a variety of [workload templates](https://github.com/Azure/cloud-for-sovereignty-quickstarts) including a sample application that are designed to be deployed within the SLZ. These are useful resources to reference during the workload migration process. + +### [Microsoft Legal Notice](../NOTICE.md) diff --git a/docs/scenarios/Piloting-SLZ.md b/docs/scenarios/Piloting-SLZ.md index 1fe6a4f..29aa302 100644 --- a/docs/scenarios/Piloting-SLZ.md +++ b/docs/scenarios/Piloting-SLZ.md @@ -1,6 +1,6 @@ # Sovereign Landing Zone Pilots -The numbered getting started docs are intended to overview the steps that would be required for a production deployment of the SLZ Preview. However, this often requires greater permissions and has a higher cost than what an organization may be willing to spend while they are conducting a pilot. +The numbered getting started docs are intended to overview the steps that would be required for a production deployment of the SLZ. However, this often requires greater permissions and has a higher cost than what an organization may be willing to spend while they are conducting a pilot. ## Reduced Permissions @@ -9,13 +9,13 @@ The numbered getting started docs are intended to overview the steps that would Reference the production deployment [permission setup](../05-Permissions-Tooling.md) for the recommended steps. For pilot deployments, there are a few additional recommendations. 1. **Use existing subscriptions** - * This means the identity being used to deploy the SLZ Preview does not need broad permissions to create subscriptions, but can be given a set of existing subscriptions to use. + * This means the identity being used to deploy the SLZ does not need broad permissions to create subscriptions, but can be given a set of existing subscriptions to use. * See the [using existing subscriptions](./Using-Existing-Subscriptions.md) doc for more details. 2. **Use a child management group as the top-level** - * By default the SLZ Preview will attempt to create a top-level management group to store all resources at the [tenant root group](https://learn.microsoft.com/azure/governance/management-groups/overview#root-management-group-for-each-directory) level. This is a very board permission that may allow the identity to alter any resource within the tenant. - * Instead, it is recommended to create a new management group at some other level and assign the broad permissions there so the identity deploying the SLZ Preview will have no ability to other existing Azure resources. - * The SLZ Preview can be configured to deploy within this new management group via the `parTopLevelManagementGroupParentId` parameter. View our [parameter guidance](../07-Deployment-Parameters.md) doc for further details on configuring the SLZ Preview. - * **Note** Using the `parTopLevelManagementGroupParentId` parameter to separate multiple SLZ Preview deployments is also the recommended approach for managing multiple side-by-side deployments as is needed to meet development, testing, and isolation requirements. + * By default the SLZ will attempt to create a top-level management group to store all resources at the [tenant root group](https://learn.microsoft.com/azure/governance/management-groups/overview#root-management-group-for-each-directory) level. This is a very board permission that may allow the identity to alter any resource within the tenant. + * Instead, it is recommended to create a new management group at some other level and assign the broad permissions there so the identity deploying the SLZ will have no ability to modify existing Azure resources. + * The SLZ can be configured to deploy within this new management group via the `parTopLevelManagementGroupParentId` parameter. View our [parameter guidance](../07-Deployment-Parameters.md) doc for further details on configuring the SLZ. + * **Note** Using the `parTopLevelManagementGroupParentId` parameter to separate multiple SLZ deployments is also the recommended approach for managing multiple side-by-side deployments as is needed to meet development, testing, and isolation requirements. ## Reduced Resources @@ -25,3 +25,5 @@ It is crucial to be conscientious of the cost implications when conducting a pil 2. [Azure Firewall](https://learn.microsoft.com/azure/firewall/overview) - This can be disabled by setting the `parEnableFirewall` value to `false`. * If Azure Firewall is needed, consider using the basic SKU by setting `parUsePremiumFirewall` to `false` 3. [Azure Bastion](https://learn.microsoft.com/azure/bastion/bastion-overview) - This can be disabled by setting the `parDeployBastion` value to `false`. + +### [Microsoft Legal Notice](../NOTICE.md) diff --git a/docs/scenarios/Pipeline-Deployments.md b/docs/scenarios/Pipeline-Deployments.md index 66fdb31..7258f1b 100644 --- a/docs/scenarios/Pipeline-Deployments.md +++ b/docs/scenarios/Pipeline-Deployments.md @@ -1,10 +1,10 @@ -# Deploying the SLZ Preview in a Pipeline +# Deploying the SLZ in a Pipeline -While the SLZ Preview deployment process works well to be executed manually, it can also easily be executed in a pipeline. This will require that a [service principal (SPN)](https://learn.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal) has been granted the same [required permissions](../05-Permissions-Tooling.md) that a user must have, and that the SPN is bound to a [service connection](https://learn.microsoft.com/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#azure-resource-manager-service-connection) and used during the [pipeline execution](https://learn.microsoft.com/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#use-a-service-connection). There are a few considerations when doing this: +While the SLZ deployment process works well to be executed manually, it can also easily be executed in a pipeline. This will require that a [service principal (SPN)](https://learn.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal) has been granted the same [required permissions](../05-Permissions-Tooling.md) that a user must have, and that the SPN is bound to a [service connection](https://learn.microsoft.com/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#azure-resource-manager-service-connection) and used during the [pipeline execution](https://learn.microsoft.com/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#use-a-service-connection). There are a few considerations when doing this: ## Running in Unattended Mode -When the SLZ Preview deployment script is executed, it will check for dependencies and prompt the user for information. This is not suitable for pipeline deployments where it is not possible to interact with the script. Pipelines can execute the same flow without being prompted by running the script in unattended mode: +When the SLZ deployment script is executed, it will check for dependencies and prompt the user for information. This is not suitable for pipeline deployments where it is not possible to interact with the script. Pipelines can execute the same flow without being prompted by running the script in unattended mode: ``` .\New-SovereignLandingZone.ps1 -parDeployment all -parAttendedLogin $false @@ -14,7 +14,7 @@ Unattended mode will expect that an identity has already been logged in and that ## Multiple Parameter Files -When the SLZ Preview deployment script is executed, it will reference the [parameter file](../../orchestration/scripts/parameters/sovereignLandingZone.parameters.json) for all values required for the deployment. This is not suitable for pipeline deployments where you may not want to have the parameter file checked into the same repository as the code, or when you want to use manage multiple deployments. The deployment script can be directed to find the parameter file at a different path: +When the SLZ deployment script is executed, it will reference the [parameter file](../../orchestration/scripts/parameters/sovereignLandingZone.parameters.json) for all values required for the deployment. This is not suitable for pipeline deployments where you may not want to have the parameter file checked into the same repository as the code, or when you want to use manage multiple deployments. The deployment script can be directed to find the parameter file at a different path: ``` .\New-SovereignLandingZone.ps1 -parDeployment all -parParametersFilePath path/to/parameter/file.json @@ -22,7 +22,7 @@ When the SLZ Preview deployment script is executed, it will reference the [param ## Individual Deployment Steps -The SLZ Preview deployment script has [multiple steps](../03-Deployment-Overview.md) that can be deployed individually. It is useful to run a singular deployment step to speed up the deployment process when the change that needs to be deployed is limited to one deployment step. For instance, adding new custom policies does not require redeploying the entire platform, but instead can be executed by setting the appropriate `parDeployment` CLI parameter: +The SLZ deployment script has [multiple steps](../03-Deployment-Overview.md) that can be deployed individually. It is useful to run a singular deployment step to speed up the deployment process when the change that needs to be deployed is limited to one deployment step. For instance, adding new custom policies does not require redeploying the entire platform, but instead can be executed by setting the appropriate `parDeployment` CLI parameter: ``` .\New-SovereignLandingZone.ps1 -parDeployment compliance @@ -31,7 +31,8 @@ The SLZ Preview deployment script has [multiple steps](../03-Deployment-Overview Or by running: ``` -.\New-Compliance.ps1 +. .\New-Compliance.ps1 +New-Compliance -parParametersFilePath path/to/parameter/file.json ``` These are the deployment steps: @@ -47,9 +48,9 @@ These are the deployment steps: ## Required Parameters -These deployment steps also have additional required parameters as the SLZ Preview deployment script will not attempt to query an environment to determine these values. An individual deployment step will also have the required parameters of the deployment steps that are before it. For instance the `Compliance` step will also need the `Platform` step's required parameters. Every execution of the SLZ Preview will log key resources including these required parameters to a CSV file. These log files will be stored in `/orchestration/scripts/outputs` and will be timestamped with the deployment name in the title. +These deployment steps also have additional required parameters as the SLZ deployment script will not attempt to query an environment to determine these values. An individual deployment step will also have the required parameters of the deployment steps that are before it. For instance the `Compliance` step will also need the `Platform` step's required parameters. Every execution of the SLZ will log key resources including these required parameters to a CSV file. These log files will be stored in `/orchestration/scripts/outputs` and will be timestamped with the deployment name in the title. -|Step Name|Required Parameters| +|Step Name|Additional Required Parameters| |---------|-------------------| |Bootstrap|N/A| |Platform|`parManagementSubscriptionId`
`parIdentitySubscriptionId`
`parConnectivitySubscriptionId`| @@ -74,3 +75,5 @@ There may be some issues invoking the SLZ deployment scripts from a BASH task. I ``` Where the `SERVICE_CONNECTION` parameter is the previously setup service connection to be used during [pipeline execution](https://learn.microsoft.com/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#use-a-service-connection). + +### [Microsoft Legal Notice](../NOTICE.md) diff --git a/docs/scenarios/README.md b/docs/scenarios/README.md index 396064f..b1beaae 100644 --- a/docs/scenarios/README.md +++ b/docs/scenarios/README.md @@ -1,14 +1,16 @@ -# Sovereign Landing Zone Preview Scenarios +# Sovereign Landing Zone Scenarios -The following are common scenarios found during initial deployment or through operational tasks within an SLZ Preview deployment. +The following are common scenarios found during initial deployment or through operational tasks within an SLZ deployment. -1. [Conducting a pilot of the SLZ Preview](./Piloting-SLZ.md) -2. [Deploying the SLZ Preview in a pipeline](./Pipeline-Deployments.md) -3. [Using existing subscriptions for the SLZ Preview](./Using-Existing-Subscriptions.md) -4. [What is the Sovereignty Policy Baseline](./Sovereignty-Policy-Baseline.md) -5. [Using built-in policies or the Policy Portfolio](./Using-Policy-Portfolio.md) -6. [Custom Azure Policies within the SLZ Preview](./Custom-Policies.md) +1. [Conducting a pilot of the SLZ](./Piloting-SLZ.md) +2. [Deploying the SLZ in a pipeline](./Pipeline-Deployments.md) +3. [Using existing subscriptions for the SLZ](./Using-Existing-Subscriptions.md) +4. [What is the Sovereignty Baseline policy initiatives](./Sovereignty-Baseline-Policy-Initiatives.md) +5. [Using built-in policies or the policy portfolio](./Using-Policy-Portfolio.md) +6. [Custom Azure Policies within the SLZ](./Custom-Policies.md) 7. [Customizing the compliance dashboard](./Extending-Compliance-Dashboard.md) 8. [Deploying application or platform landing zones](./Landing-Zone-Vending.md) 9. [Adding additional landing zone management groups](./Expanding-SLZ-ManagementGroups.md) 10. [Removing ALZ Policies](./Removing-Policy-Assignments.md) + +### [Microsoft Legal Notice](../NOTICE.md) diff --git a/docs/scenarios/Removing-Policy-Assignments.md b/docs/scenarios/Removing-Policy-Assignments.md index 5ec95c2..5a09c26 100644 --- a/docs/scenarios/Removing-Policy-Assignments.md +++ b/docs/scenarios/Removing-Policy-Assignments.md @@ -1,24 +1,24 @@ # Removing Policy Assignments -There are several options for the SLZ Preview to deploy policies. However, the SLZ Preview does not remove policy assignments by design. Policy assignments are the technical guardrails used by governance and security teams, and we want removing of policy assignments to be an intentional effort instead of an accidental one caused by a misconfiguration. To remove a policy assignment, the SLZ Preview parameter file needs to be updated to ensure it does not attempt to recreate the assignment then a secondary or manual process must go through and remove the assignment. +There are several options for the SLZ to deploy policies. However, the SLZ does not remove policy assignments by design. Policy assignments are the technical guardrails used by governance and security teams, and we want removing of policy assignments to be an intentional effort instead of an accidental one caused by a misconfiguration. To remove a policy assignment, the SLZ parameter file needs to be updated to ensure it does not attempt to recreate the assignment then a secondary or manual process must go through and remove the assignment. -Upgrades to the Sovereignty Policy Baseline or any of the built-in Policy Portfolio initiatives will be automatically addressed without secondary steps or manual intervention. +Upgrades to the Sovereignty Baseline policy initiatives or any of the built-in Microsoft Cloud for Sovereignty policy portfolio initiatives will be automatically addressed without secondary steps or manual intervention. ## Removing Old Custom Policies -Update the [custom policy definitions](../../custom/policies/definitions/) by removing the old policies out of the definitions and incrementing the version number before redeploying the SLZ Preview. The SLZ Preview will automatically remove the old definition assignment during the upgrade process. +Update the [custom policy definitions](../../custom/policies/definitions/) by removing the old policies out of the definitions and incrementing the version number before redeploying the SLZ. The SLZ will automatically remove the old definition assignment during the upgrade process. ## Removing Old Policy Portfolio Assignments -Update the SLZ Preview parameter file and remove the old assignment out of the `parCustomerPolicySets` parameter. This will prevent the SLZ Preview from deploying the assignment in the future. +Update the SLZ parameter file and remove the old assignment out of the `parCustomerPolicySets` parameter. This will prevent the SLZ from deploying the assignment in the future. -Navigate to the [Management Group](https://portal.azure.com/#view/Microsoft_Azure_ManagementGroups/ManagementGroupBrowseBlade/~/MGBrowse_overview) view and select the top-level management group for the SLZ Preview deployment. In the policies blade, find the assignment with the same name and manually delete it. +Navigate to the [Management Group](https://portal.azure.com/#view/Microsoft_Azure_ManagementGroups/ManagementGroupBrowseBlade/~/MGBrowse_overview) view and select the top-level management group for the SLZ deployment. In the policies blade, find the assignment with the same name and manually delete it. ## Removing the ALZ Policies -Update the SLZ Preview parameter file and set `parDeployAlzDefaultPolicies` to `false`. This will prevent the SLZ Preview from deploying the ALZ Policies in the future. +Update the SLZ parameter file and set `parDeployAlzDefaultPolicies` to `false`. This will prevent the SLZ from deploying the ALZ Policies in the future. -Navigate to the [Management Group](https://portal.azure.com/#view/Microsoft_Azure_ManagementGroups/ManagementGroupBrowseBlade/~/MGBrowse_overview) view and select the top-level management group for the SLZ Preview deployment, and then select the **Policy** blade. This will ensure you have the appropriate scope selected +Navigate to the [Management Group](https://portal.azure.com/#view/Microsoft_Azure_ManagementGroups/ManagementGroupBrowseBlade/~/MGBrowse_overview) view and select the top-level management group for the SLZ deployment, and then select the **Policy** blade. This will ensure you have the appropriate scope selected ![alz-initiative-assignments-overview](../images/removing-policy-assignments-01-policy-overview-blade.png) @@ -74,3 +74,5 @@ For further details refer to the [ALZ Assignment Deletion](https://github.com/Az |Configure Azure PaaS services to use private DNS zones |Configure Azure PaaS services to use private DNS zones | |Deny the creation of public IP |Not allowed resource types | |Deploy-Log-Analytics |Configure Log Analytics workspace and automation account to centralize logs and monitoring | + +### [Microsoft Legal Notice](../NOTICE.md) diff --git a/docs/scenarios/Sovereignty-Policy-Baseline.md b/docs/scenarios/Sovereignty-Baseline-Policy-Initiatives.md similarity index 76% rename from docs/scenarios/Sovereignty-Policy-Baseline.md rename to docs/scenarios/Sovereignty-Baseline-Policy-Initiatives.md index 9b7313f..6f164a1 100644 --- a/docs/scenarios/Sovereignty-Policy-Baseline.md +++ b/docs/scenarios/Sovereignty-Baseline-Policy-Initiatives.md @@ -1,8 +1,8 @@ -# Sovereignty Policy Baseline +# Sovereignty Baseline Policy Initiatives -The Sovereignty Policy Baseline (baseline) is one of the sets of policies in the [Microsoft Cloud for Sovereignty Portfolio](https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline). It comes deployed within every SLZ Preview environment and can be [used outside an SLZ Preview](https://github.com/Azure/cloud-for-sovereignty-policy-portfolio/) environment. +The Sovereignty Baseline policy initiatives (baseline) is one of the sets of policy initiatives in the [Microsoft Cloud for Sovereignty policy portfolio](https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline). It comes deployed within every SLZ environment and can be [used outside an SLZ](https://github.com/Azure/cloud-for-sovereignty-policy-portfolio/) environment. -The baseline is intended to supplement existing security control frameworks used by customers today with Azure policies that are grouped into the sovereignty control objectives listed below. It is not intended to replace a security control framework or fully meet the sovereignty control objectives by themselves. It should be viewed as providing a guardrail starting point for best practices past what traditional control frameworks may require and supports an organization's effort in addressing the listed control objectives. +The baseline is intended to supplement existing security control frameworks used by customers today with Azure policies that are grouped into the sovereignty control objectives listed below. It is not intended to replace a security control framework or fully meet the sovereignty control objectives by themselves. It should be viewed as providing a starting point for best practices past what traditional control frameworks may require and supports an organization's effort in addressing the listed control objectives. The baseline does this by introducing the notion of **customer-defined sensitive** data, which is not meant to map to any data classification framework. Instead it is there to differentiate data that an organization denotes as having additional sovereignty requirements. The below sovereignty control objectives are examples of the types of controls that an organization may have for protecting **customer-defined sensitive** data. The related policies to these objectives are only assigned to the confidential scopes while other controls are applied to all resources. @@ -51,4 +51,6 @@ The related policies are in the `dashboard-Key Management` group within these fi ## Improvement Ideas -The Sovereignty Policy Baseline is exploring a new space and we are eager to hear any suggestions about how they should be structured, other control objectives that should be included, how they should support specific workload architectures, or any other areas. Please submit any [feedback or improvement ideas](https://github.com/Azure/sovereign-landing-zone/issues/new/choose) you may have. +The Sovereignty Baseline policy initiatives are exploring a new space and we are eager to hear any suggestions about how they should be structured, other control objectives that should be included, how they should support specific workload architectures, or any other areas. Please submit any [feedback or improvement ideas](https://github.com/Azure/sovereign-landing-zone/issues/new/choose) you may have. + +### [Microsoft Legal Notice](../NOTICE.md) diff --git a/docs/scenarios/Using-Existing-Subscriptions.md b/docs/scenarios/Using-Existing-Subscriptions.md index dddf373..bb6f94a 100644 --- a/docs/scenarios/Using-Existing-Subscriptions.md +++ b/docs/scenarios/Using-Existing-Subscriptions.md @@ -1,15 +1,15 @@ # Using Existing Subscriptions -In some cases the user will not be able to use the SLZ Preview to create subscriptions. This often happens for organizations that procure subscriptions through a partner or when an organization's policy requires the user to procure subscriptions through another internal team or process. +In some cases the user will not be able to use the SLZ to create subscriptions. This often happens for organizations that procure subscriptions through a partner or when an organization's policy requires the user to procure subscriptions through another internal team or process. -In either case, the lifecycle for subscriptions does not need to be managed by the SLZ Preview and the SLZ Preview can be configured to use existing subscriptions. In this case the user will still require the permissions described [during the setup steps](../05-Permissions-Tooling.md) as well as the [Owner](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#owner) permission within all subscriptions being used. +In either case, the lifecycle for subscriptions does not need to be managed by the SLZ and the SLZ can be configured to use existing subscriptions. In this case the user will still require the permissions described [during the setup steps](../05-Permissions-Tooling.md) as well as the [Owner](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#owner) permission within all subscriptions being used. -It is recommended for these subscriptions to follow the same naming convention as the SLZ Preview deployed ones: +It is recommended for these subscriptions to follow the same naming convention as the SLZ deployed ones: 1. `{parDeploymentPrefix}-connectivity{parDeploymentSuffix}` 2. `{parDeploymentPrefix}-identity{parDeploymentSuffix}` 3. `{parDeploymentPrefix}-management{parDeploymentSuffix}` -Although any naming convention can be used. To configure the SLZ Preview to use these subscriptions when deploying resources, update the parameters file with the following values: +Although any naming convention can be used. To configure the SLZ to use these subscriptions when deploying resources, update the parameters file with the following values: 1. `parConnectivitySubscriptionId`.value * The ID of the `{parDeploymentPrefix}-connectivity{parDeploymentSuffix}` subscription. 2. `parIdentitySubscriptionId`.value @@ -19,4 +19,6 @@ Although any naming convention can be used. To configure the SLZ Preview to use ## Deployments in a Singular Subscription -While it is technically possible to use the same subscription ID for all 3 default subscriptions to effectively deploy the SLZ Preview into one subscription, this is not a supported scenario and there may be unexpected conflicts. +While it is technically possible to use the same subscription ID for all 3 default subscriptions to effectively deploy the SLZ into one subscription, this is not a supported scenario and there may be unexpected conflicts such as the incorrect set of Azure policies influencing the resources. + +### [Microsoft Legal Notice](../NOTICE.md) diff --git a/docs/scenarios/Using-Policy-Portfolio.md b/docs/scenarios/Using-Policy-Portfolio.md index f077919..499b98e 100644 --- a/docs/scenarios/Using-Policy-Portfolio.md +++ b/docs/scenarios/Using-Policy-Portfolio.md @@ -1,7 +1,9 @@ # Using the Policy Portfolio -The Microsoft Cloud for Sovereignty has as [Policy Portfolio](https://github.com/Azure/cloud-for-sovereignty-policy-portfolio) with each set of initiatives within the portfolio designed to help an organization demonstrate compliance against a country or industry specific regulation. Our [public documentation](https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline) contains more information. +The Microsoft Cloud for Sovereignty has as [policy portfolio](https://github.com/Azure/cloud-for-sovereignty-policy-portfolio) with each set of initiatives within the portfolio designed to help an organization demonstrate compliance against a country or industry specific regulation. Our [public documentation](https://learn.microsoft.com/industry/sovereignty/policy-portfolio-baseline) contains more information. -All sets of initiatives within the policy portfolio can be used in any landing zone, but have also been tested against workloads running within the SLZ Preview. For the [sets of policies](https://github.com/Azure/cloud-for-sovereignty-policy-portfolio) that are not yet built-in, their definitions will need to be deployed in the top-level or parent management group for the SLZ Preview prior to being deployed. Follow the documentation within the portfolio repository for more details. All others will be built-in and no additional setup steps are required. +All sets of initiatives within the policy portfolio can be used in any landing zone, but have also been tested against workloads running within the SLZ. For the [sets of policies](https://github.com/Azure/cloud-for-sovereignty-policy-portfolio) that are not yet built-in, their definitions will need to be deployed in the top-level or parent management group for the SLZ prior to being deployed. Follow the documentation within the portfolio repository for more details. All others will be built-in and no additional setup steps are required. -To use one or more policy sets from the policy portfolio update the `parCustomerPolicySets` parameter with the assignment information. These assignments will be created at the top-level management group for the SLZ Preview and will apply to all resources contained within. All policy sets within the portfolio have safe defaults, so no additional configuration is required to get started with them. The `parCustomerPolicySets` parameter does not allow for Azure policy assignment parameters to be passed. +To use one or more policy sets from the policy portfolio update the `parCustomerPolicySets` parameter with the assignment information. These assignments will be created at the top-level management group for the SLZ and will apply to all resources contained within. All policy sets within the portfolio have safe defaults, so no additional configuration is required to get started with them. The `parCustomerPolicySets` parameter does not allow for Azure policy assignment parameters to be passed. + +### [Microsoft Legal Notice](../NOTICE.md) diff --git a/modules/compliance/defaultCompliance.bicep b/modules/compliance/defaultCompliance.bicep index 4995d50..fa03eaf 100644 --- a/modules/compliance/defaultCompliance.bicep +++ b/modules/compliance/defaultCompliance.bicep @@ -179,6 +179,9 @@ module modPolicyAssignmentSlzGlobalDefaults '../../dependencies/infra-as-code/bi listOfAllowedLocations: { value: parAllowedLocations } + effect: { + value: parPolicyEffect + } } parPolicyAssignmentIdentityType: 'SystemAssigned' parPolicyAssignmentIdentityRoleDefinitionIds: [ diff --git a/modules/compliance/policySetDefinitions/slzConfidentialDefaults.json b/modules/compliance/policySetDefinitions/slzConfidentialDefaults.json index d8db9d7..54cd1dd 100644 --- a/modules/compliance/policySetDefinitions/slzConfidentialDefaults.json +++ b/modules/compliance/policySetDefinitions/slzConfidentialDefaults.json @@ -127,6 +127,9 @@ "parameters": { "listOfAllowedLocations": { "value": "[[parameters('listOfAllowedLocations')]" + }, + "policyEffect": { + "value": "[[parameters('effect')]" } }, "groupNames": ["dashboard-Data Residency"] diff --git a/modules/compliance/policySetDefinitions/slzGlobalDefaults.json b/modules/compliance/policySetDefinitions/slzGlobalDefaults.json index 627d41e..721801a 100644 --- a/modules/compliance/policySetDefinitions/slzGlobalDefaults.json +++ b/modules/compliance/policySetDefinitions/slzGlobalDefaults.json @@ -8,6 +8,15 @@ "version": "0.3.0" }, "parameters": { + "effect": { + "type": "string", + "metadata": { + "displayName": "Effect", + "description": "Execution of the policy" + }, + "allowedValues": ["Audit", "Deny", "Disabled", "AuditIfNotExists"], + "defaultValue": "Deny" + }, "listOfAllowedLocations": { "type": "array", "defaultValue": [], @@ -108,6 +117,9 @@ "parameters": { "listOfAllowedLocations": { "value": "[[parameters('listOfAllowedLocations')]" + }, + "policyEffect": { + "value": "[[parameters('effect')]" } }, "groupNames": ["dashboard-Data Residency"] diff --git a/orchestration/const/doNotRetryErrorCodes.json b/orchestration/const/doNotRetryErrorCodes.json index b1546b8..ffde31d 100644 --- a/orchestration/const/doNotRetryErrorCodes.json +++ b/orchestration/const/doNotRetryErrorCodes.json @@ -1,29 +1,33 @@ { - "description": "This file contains all the error codes for while the retry logic would not be triggered", - "errorCodes": [ - { - "code": "RequestDisallowedByPolicy", - "errorDescription": "A resource deployment was disallowed by policy" - }, - { - "code": "MissingSubscriptionRegistration", - "errorDescription": "The subscription must be registered to use the namespace." - }, - { - "code": "InvalidPolicySetParameterUpdate", - "errorDescription": "The policy contains new parameter(s) which are not present in the existing policy and have no default value. New parameters may be added to a policy only if they have a default value." - }, - { - "code": "UndefinedPolicyParameter", - "errorDescription": "The policy assignment has the parameter(s) which are not defined in the policy definition" - }, - { - "code": "ReferencedResourceNotProvisioned", - "errorDescription": "Cannot proceed with operation because the resource is not in Succeeded state." - }, - { - "code": "UserNotAuthorized", - "errorDescription": "User is not authorized to create a particular resource/subscription" - } - ] -} \ No newline at end of file + "description": "This file contains all the error codes for while the retry logic would not be triggered", + "errorCodes": [ + { + "code": "RequestDisallowedByPolicy", + "errorDescription": "A resource deployment was disallowed by policy" + }, + { + "code": "MissingSubscriptionRegistration", + "errorDescription": "The subscription must be registered to use the namespace." + }, + { + "code": "InvalidPolicySetParameterUpdate", + "errorDescription": "The policy contains new parameter(s) which are not present in the existing policy and have no default value. New parameters may be added to a policy only if they have a default value." + }, + { + "code": "UndefinedPolicyParameter", + "errorDescription": "The policy assignment has the parameter(s) which are not defined in the policy definition" + }, + { + "code": "ReferencedResourceNotProvisioned", + "errorDescription": "Cannot proceed with operation because the resource is not in Succeeded state." + }, + { + "code": "UserNotAuthorized", + "errorDescription": "User is not authorized to create a particular resource/subscription" + }, + { + "code": "InvalidRequestContent", + "errorDescription": " The request content was invalid and could not be deserialized" + } + ] +} diff --git a/orchestration/dashboard/dashboard.bicep b/orchestration/dashboard/dashboard.bicep index 30ae565..3ba5d48 100644 --- a/orchestration/dashboard/dashboard.bicep +++ b/orchestration/dashboard/dashboard.bicep @@ -97,7 +97,7 @@ module modDashboardResourceGroup '../../modules/resourceGroups/dashboardResource } } -var varDashboardDisplayName = '${parDeploymentPrefix}-Sovereign-Landing-Zone-Dashboard-Preview-${parDeploymentLocation}${parDeploymentSuffix}' +var varDashboardDisplayName = '${parDeploymentPrefix}-Sovereign-Landing-Zone-Dashboard-${parDeploymentLocation}${parDeploymentSuffix}' // Deploy dashboard module modDashboard '../../modules/dashboard/dashboard.bicep' = { diff --git a/orchestration/scripts/Invoke-Helper.ps1 b/orchestration/scripts/Invoke-Helper.ps1 index a2bdab9..8ec6dcf 100644 --- a/orchestration/scripts/Invoke-Helper.ps1 +++ b/orchestration/scripts/Invoke-Helper.ps1 @@ -705,7 +705,7 @@ function Show-DashboardInfo { $parDeploymentSuffix = $parParameters.parDeploymentSuffix.value $varSignedInUser = Get-SignedInUser $varResourceGroupName = "$parDeploymentPrefix-rg-dashboards-$parDeploymentLocation$parDeploymentSuffix" - $varDashboardName = "$parDeploymentPrefix-Sovereign-Landing-Zone-Dashboard-Preview-$parDeploymentLocation$parDeploymentSuffix" + $varDashboardName = "$parDeploymentPrefix-Sovereign-Landing-Zone-Dashboard-$parDeploymentLocation$parDeploymentSuffix" $varUserDomain = $varSignedInUser.Substring($varSignedInUser.IndexOf("@")) $varDashboardLink = "$varAzPortalLink/#$varUserDomain/dashboard/arm/subscriptions/$varManagementSubscriptionId" $varDashboardLink = "$varDashboardLink/resourceGroups/$varResourceGroupName/providers/Microsoft.Portal/dashboards/$varDashboardName" diff --git a/orchestration/scripts/New-Bootstrap.ps1 b/orchestration/scripts/New-Bootstrap.ps1 index 88b624a..cfbd2db 100644 --- a/orchestration/scripts/New-Bootstrap.ps1 +++ b/orchestration/scripts/New-Bootstrap.ps1 @@ -99,6 +99,10 @@ function New-Bootstrap { Write-Information "Registering Microsoft.Network resource provider for subscription id: $varConnectivitySubscriptionId...." -InformationAction Continue Set-AzContext -Subscription "$varConnectivitySubscriptionId" Register-ResourceProvider "Microsoft.Network" + #Move customer provided subscriptions to the slz management group + if ($parParameters.parConnectivitySubscriptionId.value -or $parParameters.parIdentitySubscriptionId.value -or $parParameters.parManagementSubscriptionId.value){ + Move-Subscription $varParameters $modDeployBootstrap + } # update parameters Out-DeploymentParameters "bootstrap" $modDeployBootstrap $varManagementGroupId $parParameters diff --git a/orchestration/scripts/New-SovereignLandingZone.ps1 b/orchestration/scripts/New-SovereignLandingZone.ps1 index 7deb297..b4515f1 100644 --- a/orchestration/scripts/New-SovereignLandingZone.ps1 +++ b/orchestration/scripts/New-SovereignLandingZone.ps1 @@ -71,8 +71,6 @@ switch ($parDeployment) { 'platform' { Confirm-Parameters($varPlatformRequiredParams) New-Platform $null $varParameters $null - Move-Subscription $varParameters $null - } 'compliance' { @@ -120,9 +118,6 @@ switch ($parDeployment) { Write-Error "Platform deployment script failed." -ErrorAction Stop } - #Move Subscription - Move-Subscription $varParameters $modDeployBootstrapOutputs - #Compliance New-Compliance $null $varParameters $modDeploySovereignPlatformOutputs diff --git a/orchestration/scripts/parameters/sovereignLandingZone.parameters.json b/orchestration/scripts/parameters/sovereignLandingZone.parameters.json index 42c04e4..b5daefe 100644 --- a/orchestration/scripts/parameters/sovereignLandingZone.parameters.json +++ b/orchestration/scripts/parameters/sovereignLandingZone.parameters.json @@ -9,14 +9,14 @@ "maxLength": 5, "defaultValue": "mcfs", "value": null, - "description": "Prefix added to all Azure resources created by the SLZ Preview." + "description": "Prefix added to all Azure resources created by the SLZ." }, "parTopLevelManagementGroupName": { "type": "string", "usedBy": "all and bootstrap", "defaultValue": "Microsoft Cloud for Sovereignty", "value": null, - "description": "The name of the top-level management group for the SLZ Preview." + "description": "The name of the top-level management group for the SLZ." }, "parDeploymentSuffix": { "type": "string", @@ -24,7 +24,7 @@ "maxLength": 5, "defaultValue": null, "value": null, - "description": "Optional suffix that will be added to all Azure resources created by the the SLZ Preview. Use a '-' at the start of the suffix value if a dash is needed." + "description": "Optional suffix that will be added to all Azure resources created by the the SLZ. Use a '-' at the start of the suffix value if a dash is needed." }, "parTopLevelManagementGroupParentId": { "type": "string", @@ -47,7 +47,7 @@ "usedBy": "all and dashboard", "defaultValue": "Country/Region", "value": null, - "description": "The name of the organization deploying the SLZ Preview to brand the compliance dashboard appropriately." + "description": "The name of the organization deploying the SLZ to brand the compliance dashboard appropriately." }, "parDeploymentLocation": { "type": "string", @@ -438,7 +438,7 @@ ], "defaultValue": [], "value": [], - "description": "Optional array of child management groups to deploy under the SLZ Preview Landing Zones management group." + "description": "Optional array of child management groups to deploy under the SLZ Landing Zones management group." }, "parDeployAlzDefaultPolicies": { "type": "bool", @@ -497,13 +497,9 @@ "allowedValues": [ "Audit", "Deny", - "Disabled", - "DeployIfNotExists", - "Modify", - "Append", - "AuditIfNotExists" + "Disabled" ], - "description": "The policy effect used in all assignments for the Sovereignty Policy Baseline." + "description": "The policy effect used in all assignments for the Sovereignty Baseline policy initiatives." }, "parDeployLogAnalyticsWorkspace": { "type": "bool", @@ -525,7 +521,7 @@ } ], "value": [], - "description": "Toggles deployment of Log Analytics Workspace. True to deploy, otherwise false." + "description": "Optional array of customer specified policy assignments to the top-level management group." }, "parTags": { "type": "object",