Various fixes (#663)

Co-authored-by: Anthony Watherston <[email protected]>

Schemas/policy-assignment-schema.json

@@ -26,6 +26,9 @@
                 "policySetName": {
                     "type": "string"
                 },
+                "definitionVersion": {
+                    "type": "string"
+                },
                 "displayName": {
                     "type": "string"
                 },
@@ -74,6 +77,9 @@
                         "policySetName": {
                             "type": "string"
                         },
+                        "definitionVersion": {
+                            "type": "string"
+                        },
                         "displayName": {
                             "type": "string"
                         },

Schemas/policy-set-definition-schema.json

@@ -78,6 +78,9 @@
                                 "policyDefinitionReferenceId": {
                                     "type": "string"
                                 },
+                                "definitionVersion": {
+                                    "type": "string"
+                                },
                                 "parameters": {
                                     "type": "object"
                                 },

Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Corp-Default.jsonc

@@ -44,58 +44,58 @@
                         // but modify to reference your connectivity subscription.
                         // Also update additionalRoleAssignments block to ensure your connectivity subscription Id is referenced.
                         // If you don't require this then remove the assignment block. 
+                        "azureStorageBlobSecPrivateDnsZoneId": "--DNSZonePrefix--privatelink.blob.core.windows.net",
+                        "azureStorageQueuePrivateDnsZoneId": "--DNSZonePrefix--privatelink.queue.core.windows.net",
+                        "azureIotHubsPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azure-devices.net",
+                        "azureCosmosMongoPrivateDnsZoneId": "--DNSZonePrefix--privatelink.mongo.cosmos.azure.com",
+                        "azureEventHubNamespacePrivateDnsZoneId": "--DNSZonePrefix--privatelink.servicebus.windows.net",
+                        "azureSynapseSQLPrivateDnsZoneId": "--DNSZonePrefix--privatelink.sql.azuresynapse.net",
+                        "azureDatabricksPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azuredatabricks.net",
+                        "azureMonitorPrivateDnsZoneId4": "--DNSZonePrefix--privatelink.agentsvc.azure-automation.net",
+                        "azureEventGridDomainsPrivateDnsZoneId": "--DNSZonePrefix--privatelink.eventgrid.azure.net",
+                        "azureStorageStaticWebPrivateDnsZoneId": "--DNSZonePrefix--privatelink.web.core.windows.net",
+                        "azureStorageQueueSecPrivateDnsZoneId": "--DNSZonePrefix--privatelink.queue.core.windows.net",
                         "azureStorageDFSSecPrivateDnsZoneId": "--DNSZonePrefix--privatelink.dfs.core.windows.net",
+                        "azureCosmosGremlinPrivateDnsZoneId": "--DNSZonePrefix--privatelink.gremlin.cosmos.azure.com",
+                        "azureRedisCachePrivateDnsZoneId": "--DNSZonePrefix--privatelink.redis.cache.windows.net",
+                        "azureBatchPrivateDnsZoneId": "--DNSZonePrefix--privatelink.batch.azure.com",
+                        "azureCosmosSQLPrivateDnsZoneId": "--DNSZonePrefix--privatelink.documents.azure.com",
+                        "azureMediaServicesStreamPrivateDnsZoneId": "--DNSZonePrefix--privatelink.media.azure.net",
+                        "azureDiskAccessPrivateDnsZoneId": "--DNSZonePrefix--privatelink.blob.core.windows.net",
+                        "azureSignalRPrivateDnsZoneId": "--DNSZonePrefix--privatelink.service.signalr.net",
                         "azureIotPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azure-devices-provisioning.net",
-                        "azureSynapseDevPrivateDnsZoneId": "--DNSZonePrefix--privatelink.dev.azuresynapse.net",
-                        "azureSynapseSQLODPrivateDnsZoneId": "--DNSZonePrefix--privatelink.sql.azuresynapse.net",
-                        "azureIotHubsPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azure-devices.net",
+                        "azureCognitiveServicesPrivateDnsZoneId": "--DNSZonePrefix--privatelink.cognitiveservices.azure.com",
+                        "azureAcrPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azurecr.io",
+                        "azureStorageFilePrivateDnsZoneId": "--DNSZonePrefix--privatelink.file.core.windows.net",
+                        "azureMachineLearningWorkspacePrivateDnsZoneId": "--DNSZonePrefix--privatelink.api.azureml.ms",
+                        "azureMediaServicesKeyPrivateDnsZoneId": "--DNSZonePrefix--privatelink.media.azure.net",
                         "azureCognitiveSearchPrivateDnsZoneId": "--DNSZonePrefix--privatelink.search.windows.net",
+                        "azureSynapseDevPrivateDnsZoneId": "--DNSZonePrefix--privatelink.dev.azuresynapse.net",
+                        "azureDataFactoryPortalPrivateDnsZoneId": "--DNSZonePrefix--privatelink.adf.azure.com",
                         "azureServiceBusNamespacePrivateDnsZoneId": "--DNSZonePrefix--privatelink.servicebus.windows.net",
+                        "azureCosmosTablePrivateDnsZoneId": "--DNSZonePrefix--privatelink.table.cosmos.azure.com",
+                        "azureAutomationWebhookPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azure-automation.net",
+                        "azureStorageStaticWebSecPrivateDnsZoneId": "--DNSZonePrefix--privatelink.web.core.windows.net",
+                        "azureAutomationDSCHybridPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azure-automation.net",
                         "azureMigratePrivateDnsZoneId": "--DNSZonePrefix--privatelink.prod.migration.windowsazure.com",
-                        "azureCognitiveServicesPrivateDnsZoneId": "--DNSZonePrefix--privatelink.cognitiveservices.azure.com",
-                        "azureAcrPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azurecr.io",
-                        "azureDiskAccessPrivateDnsZoneId": "--DNSZonePrefix--privatelink.blob.core.windows.net",
-                        "azureWebPrivateDnsZoneId": "--DNSZonePrefix--privatelink.webpubsub.azure.com",
-                        "azureCosmosMongoPrivateDnsZoneId": "--DNSZonePrefix--privatelink.mongo.cosmos.azure.com",
-                        "azureBatchPrivateDnsZoneId": "--DNSZonePrefix--privatelink.batch.azure.com",
-                        "azureStorageQueuePrivateDnsZoneId": "--DNSZonePrefix--privatelink.queue.core.windows.net",
+                        "azureFilePrivateDnsZoneId": "--DNSZonePrefix--privatelink.afs.azure.net",
+                        "azureStorageBlobPrivateDnsZoneId": "--DNSZonePrefix--privatelink.blob.core.windows.net",
+                        "azureHDInsightPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azurehdinsight.net",
                         "azureMonitorPrivateDnsZoneId5": "--DNSZonePrefix--privatelink.blob.core.windows.net",
-                        "azureAppPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azconfig.io",
-                        "azureStorageDFSPrivateDnsZoneId": "--DNSZonePrefix--privatelink.dfs.core.windows.net",
                         "azureDataFactoryPrivateDnsZoneId": "--DNSZonePrefix--privatelink.datafactory.azure.net",
-                        "azureCosmosGremlinPrivateDnsZoneId": "--DNSZonePrefix--privatelink.gremlin.cosmos.azure.com",
-                        "azureAsrPrivateDnsZoneId": "--DNSZonePrefix--privatelink.siterecovery.windowsazure.com",
-                        "azureEventHubNamespacePrivateDnsZoneId": "--DNSZonePrefix--privatelink.servicebus.windows.net",
-                        "azureMediaServicesKeyPrivateDnsZoneId": "--DNSZonePrefix--privatelink.media.azure.net",
-                        "azureStorageFilePrivateDnsZoneId": "--DNSZonePrefix--privatelink.file.core.windows.net",
-                        "azureDatabricksPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azuredatabricks.net",
-                        "azureStorageStaticWebSecPrivateDnsZoneId": "--DNSZonePrefix--privatelink.web.core.windows.net",
-                        "azureStorageBlobSecPrivateDnsZoneId": "--DNSZonePrefix--privatelink.blob.core.windows.net",
-                        "azureCosmosSQLPrivateDnsZoneId": "--DNSZonePrefix--privatelink.documents.azure.com",
+                        "azureAppServicesPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azurewebsites.net",
+                        "azureMediaServicesLivePrivateDnsZoneId": "--DNSZonePrefix--privatelink.media.azure.net",
                         "azureMonitorPrivateDnsZoneId2": "--DNSZonePrefix--privatelink.oms.opinsights.azure.com",
-                        "azureKeyVaultPrivateDnsZoneId": "--DNSZonePrefix--privatelink.vaultcore.azure.net",
-                        "azureEventGridTopicsPrivateDnsZoneId": "--DNSZonePrefix--privatelink.eventgrid.azure.net",
-                        "azureMachineLearningWorkspacePrivateDnsZoneId": "--DNSZonePrefix--privatelink.api.azureml.ms",
-                        "azureEventGridDomainsPrivateDnsZoneId": "--DNSZonePrefix--privatelink.eventgrid.azure.net",
-                        "azureMediaServicesStreamPrivateDnsZoneId": "--DNSZonePrefix--privatelink.media.azure.net",
                         "azureMonitorPrivateDnsZoneId1": "--DNSZonePrefix--privatelink.monitor.azure.com",
-                        "azureSynapseSQLPrivateDnsZoneId": "--DNSZonePrefix--privatelink.sql.azuresynapse.net",
-                        "azureFilePrivateDnsZoneId": "--DNSZonePrefix--privatelink.afs.azure.net",
-                        "azureHDInsightPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azurehdinsight.net",
-                        "azureCosmosCassandraPrivateDnsZoneId": "--DNSZonePrefix--privatelink.cassandra.cosmos.azure.com",
                         "azureMonitorPrivateDnsZoneId3": "--DNSZonePrefix--privatelink.ods.opinsights.azure.com",
-                        "azureMediaServicesLivePrivateDnsZoneId": "--DNSZonePrefix--privatelink.media.azure.net",
-                        "azureCosmosTablePrivateDnsZoneId": "--DNSZonePrefix--privatelink.table.cosmos.azure.com",
-                        "azureAutomationDSCHybridPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azure-automation.net",
-                        "azureStorageStaticWebPrivateDnsZoneId": "--DNSZonePrefix--privatelink.web.core.windows.net",
-                        "azureSignalRPrivateDnsZoneId": "--DNSZonePrefix--privatelink.service.signalr.net",
-                        "azureMonitorPrivateDnsZoneId4": "--DNSZonePrefix--privatelink.agentsvc.azure-automation.net",
-                        "azureAppServicesPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azurewebsites.net",
-                        "azureStorageQueueSecPrivateDnsZoneId": "--DNSZonePrefix--privatelink.queue.core.windows.net",
-                        "azureRedisCachePrivateDnsZoneId": "--DNSZonePrefix--privatelink.redis.cache.windows.net",
-                        "azureStorageBlobPrivateDnsZoneId": "--DNSZonePrefix--privatelink.blob.core.windows.net",
-                        "azureAutomationWebhookPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azure-automation.net",
-                        "azureDataFactoryPortalPrivateDnsZoneId": "--DNSZonePrefix--privatelink.adf.azure.com"
+                        "azureSynapseSQLODPrivateDnsZoneId": "--DNSZonePrefix--privatelink.sql.azuresynapse.net",
+                        "azureAsrPrivateDnsZoneId": "--DNSZonePrefix--privatelink.siterecovery.windowsazure.com",
+                        "azureWebPrivateDnsZoneId": "--DNSZonePrefix--privatelink.webpubsub.azure.com",
+                        "azureStorageDFSPrivateDnsZoneId": "--DNSZonePrefix--privatelink.dfs.core.windows.net",
+                        "azureEventGridTopicsPrivateDnsZoneId": "--DNSZonePrefix--privatelink.eventgrid.azure.net",
+                        "azureKeyVaultPrivateDnsZoneId": "--DNSZonePrefix--privatelink.vaultcore.azure.net",
+                        "azureCosmosCassandraPrivateDnsZoneId": "--DNSZonePrefix--privatelink.cassandra.cosmos.azure.com",
+                        "azureAppPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azconfig.io"
                     },
                     "nonComplianceMessages": [
                         {

Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Platform-Default.jsonc

@@ -15,7 +15,8 @@
         "enableProcessesAndDependencies": true,
         "userAssignedManagedIdentityResourceGroup": "", //Replace with the name of the resource group where the user assigned managed identity is deployed
         "identityResourceGroup": "", // Replace with the name of the resource group where the user assigned managed identity is deployed
-        "scopeToSupportedImages": false
+        "scopeToSupportedImages": false,
+        "resourceName": "" // Replace with the name of the user assigned managed identity
     },
     "children": [
         {
@@ -135,6 +136,22 @@
                     "parameters": {
                         "dcrResourceId": "" // Resource Id for the deployed DCR - see https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/resourceGroupTemplates/dataCollectionRule-VmInsights.json
                     }
+                },
+                {
+                    "nodeName": "UAMIAMA",
+                    "assignment": {
+                        "name": "DenyAction-DeleteUAMIAMA",
+                        "displayName": "Do not allow deletion of the User Assigned Managed Identity used by AMA",
+                        "description": "This policy provides a safeguard against accidental removal of the User Assigned Managed Identity used by AMA by blocking delete calls using deny action effect."
+                    },
+                    "definitionEntry": {
+                        "policyName": "DenyAction-DeleteResources",
+                        "displayName": "Do not allow deletion of specified resource and resource type"
+                    },
+                    "parameters": {
+                        "resourceType": "Microsoft.ManagedIdentity/userAssignedIdentities",
+                        "effect": "DenyAction"
+                    }
                 }
             ]
         },
@@ -314,4 +331,4 @@
             ]
         }
     ]
-}
+}

Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Root-Default.jsonc

@@ -211,6 +211,24 @@
                             "value": "Deny"
                         }
                     ]
+                },
+                {
+                    "nodeName": "TrustedLaunch",
+                    "assignment": {
+                        "name": "Audit-TrustedLaunch",
+                        "displayName": "Audit virtual machines for Trusted Launch support",
+                        "description": "Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch."
+                    },
+                    "definitionEntry": {
+                        "policySetName": "Audit-TrustedLaunch",
+                        "displayName": "Audit virtual machines for Trusted Launch support"
+                    },
+                    "nonComplianceMessages": [
+                        {
+                            "policyDefinitionReferenceId": null,
+                            "message": "Trust Launch must be used on supported virtual machines for enhanced security."
+                        }
+                    ]
                 }
             ]
         },