Skip to content

Commit

Permalink
Feb ALZ updates (#480)
Browse files Browse the repository at this point in the history 
Co-authored-by: Anthony Watherston <[email protected]>
  • Loading branch information
@anwather
anwather and Anthony Watherston authored Feb 18, 2024
1 parent ce51329 commit d0892c7
Showing 1 changed file with 47 additions and 5 deletions.
52 changes: 47 additions & 5 deletions Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Root-Default.jsonc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,8 @@
"logAnalytics_1": "", // Replace with your central Log Analytics workspace ID
"emailSecurityContact": "", // Security contact email address for Microsoft Defender for Cloud
"ascExportResourceGroupName": "mdfc-export", // Resource group to export Microsoft Defender for Cloud data to
"ascExportResourceGroupLocation": "" // Location of the resource group to export Microsoft Defender for Cloud data to
"ascExportResourceGroupLocation": "", // Location of the resource group to export Microsoft Defender for Cloud data to
"dataCollectionRuleResourceId": "" // Resource Id for the DCR for Azure Monitor - see https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/resourceGroupTemplates/dataCollectionRule.json
},
"children": [
{
Expand Down Expand Up @@ -60,7 +61,8 @@
"enableAscForCosmosDbs": "DeployIfNotExists",
"enableAscForServersVulnerabilityAssessments": "DeployIfNotExists",
"enableAscForApis": "DeployIfNotExists",
"enableAscForCspm": "DeployIfNotExists"
"enableAscForCspm": "DeployIfNotExists",
"vulnerabilityAssessmentProviderr": "mdeTvm"
},
"nonComplianceMessages": [
{
Expand Down Expand Up @@ -196,8 +198,10 @@
"description": "Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter."
},
"definitionEntry": {
"policySetName": "55f3eceb-5573-4f18-9695-226972c6d74a",
"displayName": "VM Monitoring"
"policySetId": "/providers/Microsoft.Authorization/policySetDefinitions/924bfe3a-762f-40e7-86dd-5c8b95eb09e6",
},
"parameters": {
"bringYourOwnUserAssignedManagedIdentity": "false"
},
"nonComplianceMessages": [
{
Expand All @@ -213,9 +217,12 @@
"description": "Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances."
},
"definitionEntry": {
"policySetName": "75714362-cae7-409e-9b99-a8e5075b7fad",
"policySetId": "/providers/Microsoft.Authorization/policySetDefinitions/f5bf694c-cca7-4033-b883-3a23327d5485",
"displayName": "VMSS Monitoring"
},
"parameters": {
"bringYourOwnUserAssignedManagedIdentity": "false"
},
"nonComplianceMessages": [
{
"message": "Azure Monitor must be enabled for Virtual Machine Scale Sets."
Expand Down Expand Up @@ -344,6 +351,41 @@
"message": "Unused resources driving cost must be avoided."
}
]
},
{
"nodeName": "ZoneResiliency",
"assignment": {
"name": "Audit-ZoneResiliency",
"displayName": "Resources should be Zone Resilient",
"description": "Resources should be Zone Resilient."
},
"definitionEntry": {
"policyId": "/providers/Microsoft.Authorization/policySetDefinitions/130fb88f-0fc9-4678-bfe1-31022d71c7d5"
},
"parameters": {
"allow": "Both"
},
"nonComplianceMessages": [
{
"message": "Resources must be Zone Resilient."
}
]
},
{
"nodeName": "RGLocation",
"assignment": {
"name": "Audit-ResourceRGLocation",
"displayName": "Resource Group and Resource locations should match",
"description": "Resource Group and Resource locations should match."
},
"definitionEntry": {
"policyId": "/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a"
},
"nonComplianceMessages": [
{
"message": "Resources must be deployed in the same region as the Resource Group."
}
]
}
]
}
Expand Down

0 comments on commit d0892c7

Please sign in to comment.