From d0892c7e910825e6953b02bb7db80ac980626fa8 Mon Sep 17 00:00:00 2001
From: Anthony Watherston <anwather@microsoft.com>
Date: Mon, 19 Feb 2024 10:45:32 +1100
Subject: [PATCH] Feb ALZ updates (#480)

Co-authored-by: Anthony Watherston <Anthony.Watherston@microsoft.com>
---
 .../policyAssignments/ALZ-Root-Default.jsonc  | 52 +++++++++++++++++--
 1 file changed, 47 insertions(+), 5 deletions(-)

diff --git a/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Root-Default.jsonc b/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Root-Default.jsonc
index 86e05633..4fc82401 100644
--- a/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Root-Default.jsonc
+++ b/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Root-Default.jsonc
@@ -11,7 +11,8 @@
         "logAnalytics_1": "", // Replace with your central Log Analytics workspace ID
         "emailSecurityContact": "", // Security contact email address for Microsoft Defender for Cloud
         "ascExportResourceGroupName": "mdfc-export", // Resource group to export Microsoft Defender for Cloud data to
-        "ascExportResourceGroupLocation": "" // Location of the resource group to export Microsoft Defender for Cloud data to
+        "ascExportResourceGroupLocation": "", // Location of the resource group to export Microsoft Defender for Cloud data to
+        "dataCollectionRuleResourceId": "" // Resource Id for the DCR for Azure Monitor - see https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/resourceGroupTemplates/dataCollectionRule.json
     },
     "children": [
         {
@@ -60,7 +61,8 @@
                         "enableAscForCosmosDbs": "DeployIfNotExists",
                         "enableAscForServersVulnerabilityAssessments": "DeployIfNotExists",
                         "enableAscForApis": "DeployIfNotExists",
-                        "enableAscForCspm": "DeployIfNotExists"
+                        "enableAscForCspm": "DeployIfNotExists",
+                        "vulnerabilityAssessmentProviderr": "mdeTvm"
                     },
                     "nonComplianceMessages": [
                         {
@@ -196,8 +198,10 @@
                         "description": "Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter."
                     },
                     "definitionEntry": {
-                        "policySetName": "55f3eceb-5573-4f18-9695-226972c6d74a",
-                        "displayName": "VM Monitoring"
+                        "policySetId": "/providers/Microsoft.Authorization/policySetDefinitions/924bfe3a-762f-40e7-86dd-5c8b95eb09e6",
+                    },
+                    "parameters": {
+                        "bringYourOwnUserAssignedManagedIdentity": "false"
                     },
                     "nonComplianceMessages": [
                         {
@@ -213,9 +217,12 @@
                         "description": "Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances."
                     },
                     "definitionEntry": {
-                        "policySetName": "75714362-cae7-409e-9b99-a8e5075b7fad",
+                        "policySetId": "/providers/Microsoft.Authorization/policySetDefinitions/f5bf694c-cca7-4033-b883-3a23327d5485",
                         "displayName": "VMSS Monitoring"
                     },
+                    "parameters": {
+                        "bringYourOwnUserAssignedManagedIdentity": "false"
+                    },
                     "nonComplianceMessages": [
                         {
                             "message": "Azure Monitor must be enabled for Virtual Machine Scale Sets."
@@ -344,6 +351,41 @@
                             "message": "Unused resources driving cost must be avoided."
                         }
                     ]
+                },
+                {
+                    "nodeName": "ZoneResiliency",
+                    "assignment": {
+                        "name": "Audit-ZoneResiliency",
+                        "displayName": "Resources should be Zone Resilient",
+                        "description": "Resources should be Zone Resilient."
+                    },
+                    "definitionEntry": {
+                        "policyId": "/providers/Microsoft.Authorization/policySetDefinitions/130fb88f-0fc9-4678-bfe1-31022d71c7d5"
+                    },
+                    "parameters": {
+                        "allow": "Both"
+                    },
+                    "nonComplianceMessages": [
+                        {
+                            "message": "Resources must be Zone Resilient."
+                        }
+                    ]
+                },
+                {
+                    "nodeName": "RGLocation",
+                    "assignment": {
+                        "name": "Audit-ResourceRGLocation",
+                        "displayName": "Resource Group and Resource locations should match",
+                        "description": "Resource Group and Resource locations should match."
+                    },
+                    "definitionEntry": {
+                        "policyId": "/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a"
+                    },
+                    "nonComplianceMessages": [
+                        {
+                            "message": "Resources must be deployed in the same region as the Resource Group."
+                        }
+                    ]
                 }
             ]
         }