From 2023eacb0da776b46fd74e81bcd852257fbd89b0 Mon Sep 17 00:00:00 2001 From: Zach Trocinski <30884663+oZakari@users.noreply.github.com> Date: Mon, 5 Feb 2024 11:29:23 -0600 Subject: [PATCH] Assign additional built-in Sovereign landing zone policy initiatives (#718) * Added sovereign policy assignments * Sovereign policies txt files * Shorten policy assignment names * Module Updates for sovereign policy assignments * Fix policyset id for sovereign global policy * Update policy file names for sovereign baselines * Fix incorrect variable reference * Adjust sovereign baseline modules * Fix policy definition id * Expose additional params with UDTs * Generate Parameter Markdowns [oZakari/1e180555] * Added logic for default allowed location for sovereign policies * Generate Parameter Markdowns [oZakari/1e180555] * Update infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com> * Update infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com> * Update infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com> * Update infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com> * Update infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com> * Update infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com> * Update infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com> * Remove unnecessary paranthesis --------- Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com> --- .../alzDefaultPolicyAssignments.bicep | 136 +++++++ .../alzDefaultPolicyAssignments.bicep.md | 42 +++ ...faultPolicyAssignments.parameters.all.json | 13 + .../_policyAssignmentsBicepInput.txt | 10 + ...nforce_sovereignty_baseline_conf.tmpl.json | 332 ++++++++++++++++++ ...orce_sovereignty_baseline_global.tmpl.json | 80 +++++ 6 files changed, 613 insertions(+) create mode 100644 infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_sovereignty_baseline_conf.tmpl.json create mode 100644 infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_sovereignty_baseline_global.tmpl.json diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep index 1e445db4c..de20078b9 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep @@ -1,6 +1,25 @@ metadata name = 'ALZ Bicep - ALZ Default Policy Assignments' metadata description = 'This module will assign the ALZ Default Policy Assignments to the ALZ Management Group hierarchy' +type policyAssignmentSovereigntyGlobalOptionsType = { + @sys.description('Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group.') + parTopLevelSovereigntyGlobalPoliciesEnable: bool + + @sys.description('The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed.') + parListOfAllowedLocations: string[] +} + +type policyAssignmentSovereigntyConfidentialOptionsType = { + @sys.description('The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types.') + parAllowedResourceTypes: string[] + + @sys.description('The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed.') + parListOfAllowedLocations: string[] + + @sys.description('The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs.') + parAllowedVirtualMachineSKUs: string[] +} + @sys.description('Prefix used for the management group hierarchy.') @minLength(2) @maxLength(10) @@ -10,6 +29,30 @@ param parTopLevelManagementGroupPrefix string = 'alz' @maxLength(10) param parTopLevelManagementGroupSuffix string = '' +@sys.description('''Object used to assign Sovereignty Baseline - Global Policies to the intermediate root management group.' + +- `parTopLevelSovereignGlobalPoliciesEnable - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. +- `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. + +''') +param parTopLevelPolicyAssignmentSovereigntyGlobal policyAssignmentSovereigntyGlobalOptionsType = { + parTopLevelSovereigntyGlobalPoliciesEnable: false + parListOfAllowedLocations: [] +} + +@sys.description('''Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' + +- `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. +- `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. +- `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. + +''') +param parPolicyAssignmentSovereigntyConfidential policyAssignmentSovereigntyConfidentialOptionsType = { + parAllowedResourceTypes: [] + parListOfAllowedLocations: [] + parAllowedVirtualMachineSKUs: [] +} + @sys.description('Management, Identity and Connectivity Management Groups beneath Platform Management Group have been deployed. If set to false, platform policies are assigned to the Platform Management Group; otherwise policies are assigned to the child management groups.') param parPlatformMgAlzDefaultsEnable bool = true @@ -80,6 +123,7 @@ var varDeploymentNameWrappers = { } var varModuleDeploymentNames = { + modPolicyAssignmentIntRootEnforceSovereigntyGlobal: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceSovereigntyGlobal-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIntRootDeployMdfcConfig: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployMDFCConfig-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIntRootDeployAzActivityLog: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployAzActivityLog-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentIntRootDeployAscMonitoring: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployASCMonitoring-intRoot-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) @@ -117,9 +161,11 @@ var varModuleDeploymentNames = { modPolicyAssignmentLzsDeploySqlTde: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deploySQLTde-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsEnforceGrKeyVault: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceGrKeyVault-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsAuditAppGwWaf: take('${varDeploymentNameWrappers.basePrefix}-polAssi-auditAppGwWaf-lz-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsConfidentialOnlineEnforceSovereigntyConf: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceSovereigntyConf-confidential-online-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsCorpDenyPublicEndpoints: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicEndpoints-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsConfidentialCorpDenyPublicEndpoints: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPublicEndpoints-confidential-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsCorpDeployPrivateDnsZones: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployPrivateDNS-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) + modPolicyAssignmentLzsConfidentialCorpEnforceSovereigntyConf: take('${varDeploymentNameWrappers.basePrefix}-polAssi-enforceSovereigntyConf-confidential-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsConfidentialCorpDeployPrivateDnsZones: take('${varDeploymentNameWrappers.basePrefix}-polAssi-deployPrivateDNS-confidential-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsCorpDenyPipOnNic: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPipOnNic-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) modPolicyAssignmentLzsConfidentialCorpDenyPipOnNic: take('${varDeploymentNameWrappers.basePrefix}-polAssi-denyPipOnNic-confidential-corp-${varDeploymentNameWrappers.baseSuffixTenantAndManagementGroup}', 64) @@ -198,6 +244,16 @@ var varPolicyAssignmentDenyPublicIP = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_public_ip.tmpl.json') } +var varPolicyAssignmentEnforceSovereigntyConf = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/03de05a4-c324-4ccd-882f-a814ea8ab9ea' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_sovereignty_baseline_conf.tmpl.json') +} + +var varPolicyAssignmentEnforceSovereigntyGlobal = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/c1cbff38-87c0-4b9f-9f70-035c7a3b5523' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_sovereignty_baseline_global.tmpl.json') +} + var varPolicyAssignmentDenyStoragehttp = { definitionId: '/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_deny_storage_http.tmpl.json') @@ -441,6 +497,28 @@ module modCustomerUsageAttributionZtnP1 '../../../../CRML/customerUsageAttributi } // Modules - Policy Assignments - Intermediate Root Management Group +// Module - Policy Assignment - Enforce-Sovereign-Global +module modPolicyAssignmentIntRootEnforceSovereigntyGlobal '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceSovereigntyGlobal.libDefinition.name) && parTopLevelPolicyAssignmentSovereigntyGlobal.parTopLevelSovereigntyGlobalPoliciesEnable) { + scope: managementGroup(varManagementGroupIds.intRoot) + name: varModuleDeploymentNames.modPolicyAssignmentIntRootEnforceSovereigntyGlobal + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceSovereigntyGlobal.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnforceSovereigntyGlobal.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceSovereigntyGlobal.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceSovereigntyGlobal.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceSovereigntyGlobal.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + listOfAllowedLocations: { + #disable-next-line no-loc-expr-outside-params + value: !(empty(parTopLevelPolicyAssignmentSovereigntyGlobal.parListOfAllowedLocations)) ? parTopLevelPolicyAssignmentSovereigntyGlobal.parListOfAllowedLocations : array(deployment().location) + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSovereigntyGlobal.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSovereigntyGlobal.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + // Module - Policy Assignment - Deploy-MDFC-Config module modPolicyAssignmentIntRootDeployMdfcConfig '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentDeployMDFCConfig.libDefinition.name)) { scope: managementGroup(varManagementGroupIds.intRoot) @@ -1416,6 +1494,64 @@ module modPolicyAssignmentLzsCorpAuditPeDnsZones '../../../policy/assignments/po } }] +// Modules - Policy Assignments - Confidential Online Management Group +// Module - Policy Assignment - Enforce-Sovereign-Conf +module modPolicyAssignmentLzsConfidentialOnlineEnforceSovereigntyConf '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceSovereigntyConf.libDefinition.name) && parLandingZoneMgConfidentialEnable) { + scope: managementGroup(varManagementGroupIds.landingZonesConfidentialOnline) + name: varModuleDeploymentNames.modPolicyAssignmentLzsConfidentialOnlineEnforceSovereigntyConf + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceSovereigntyConf.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnforceSovereigntyConf.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceSovereigntyConf.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceSovereigntyConf.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceSovereigntyConf.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + allowedResourceTypes: { + value: !(empty(parPolicyAssignmentSovereigntyConfidential.parAllowedResourceTypes)) ? parPolicyAssignmentSovereigntyConfidential.parAllowedResourceTypes : varPolicyAssignmentEnforceSovereigntyConf.libDefinition.properties.parameters.allowedResourceTypes.value + } + listOfAllowedLocations: { + #disable-next-line no-loc-expr-outside-params + value: !(empty(parPolicyAssignmentSovereigntyConfidential.parListOfAllowedLocations)) ? parPolicyAssignmentSovereigntyConfidential.parListOfAllowedLocations : array(deployment().location) + } + allowedVirtualMachineSKUs: { + value: !(empty(parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs)) ? parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs : varPolicyAssignmentEnforceSovereigntyConf.libDefinition.properties.parameters.allowedVirtualMachineSKUs.value + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSovereigntyConf.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSovereigntyConf.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + +// Modules - Policy Assignments - Confidential Corp Management Group +// Module - Policy Assignment - Enforce-Sovereign-Conf +module modPolicyAssignmentLzsConfidentialCorpEnforceSovereigntyConf '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceSovereigntyConf.libDefinition.name) && parLandingZoneMgConfidentialEnable) { + scope: managementGroup(varManagementGroupIds.landingZonesConfidentialCorp) + name: varModuleDeploymentNames.modPolicyAssignmentLzsConfidentialCorpEnforceSovereigntyConf + params: { + parPolicyAssignmentDefinitionId: varPolicyAssignmentEnforceSovereigntyConf.definitionId + parPolicyAssignmentName: varPolicyAssignmentEnforceSovereigntyConf.libDefinition.name + parPolicyAssignmentDisplayName: varPolicyAssignmentEnforceSovereigntyConf.libDefinition.properties.displayName + parPolicyAssignmentDescription: varPolicyAssignmentEnforceSovereigntyConf.libDefinition.properties.description + parPolicyAssignmentParameters: varPolicyAssignmentEnforceSovereigntyConf.libDefinition.properties.parameters + parPolicyAssignmentParameterOverrides: { + allowedResourceTypes: { + value: !(empty(parPolicyAssignmentSovereigntyConfidential.parAllowedResourceTypes)) ? parPolicyAssignmentSovereigntyConfidential.parAllowedResourceTypes : varPolicyAssignmentEnforceSovereigntyConf.libDefinition.properties.parameters.allowedResourceTypes.value + } + listOfAllowedLocations: { + #disable-next-line no-loc-expr-outside-params + value: !(empty(parPolicyAssignmentSovereigntyConfidential.parListOfAllowedLocations)) ? parPolicyAssignmentSovereigntyConfidential.parListOfAllowedLocations : array(deployment().location) + } + allowedVirtualMachineSKUs: { + value: !(empty(parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs)) ? parPolicyAssignmentSovereigntyConfidential.parAllowedVirtualMachineSKUs : varPolicyAssignmentEnforceSovereigntyConf.libDefinition.properties.parameters.allowedVirtualMachineSKUs.value + } + } + parPolicyAssignmentIdentityType: varPolicyAssignmentEnforceSovereigntyConf.libDefinition.identity.type + parPolicyAssignmentEnforcementMode: parDisableAlzDefaultPolicies ? 'DoNotEnforce' : varPolicyAssignmentEnforceSovereigntyConf.libDefinition.properties.enforcementMode + parTelemetryOptOut: parTelemetryOptOut + } +} + // Modules - Policy Assignments - Decommissioned Management Group // Module - Policy Assignment - Enforce-ALZ-Decomm module modPolicyAssignmentDecommEnforceAlz '../../../policy/assignments/policyAssignmentManagementGroup.bicep' = if (!contains(parExcludedPolicyAssignments, varPolicyAssignmentEnforceALZDecomm.libDefinition.name)) { diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md index 81f9c5f69..d15411fdc 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/generateddocs/alzDefaultPolicyAssignments.bicep.md @@ -8,6 +8,8 @@ Parameter name | Required | Description -------------- | -------- | ----------- parTopLevelManagementGroupPrefix | No | Prefix used for the management group hierarchy. parTopLevelManagementGroupSuffix | No | Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix +parTopLevelPolicyAssignmentSovereigntyGlobal | No | Object used to assign Sovereignty Baseline - Global Policies to the intermediate root management group.' - `parTopLevelSovereignGlobalPoliciesEnable - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. +parPolicyAssignmentSovereigntyConfidential | No | Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' - `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. - `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. - `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. parPlatformMgAlzDefaultsEnable | No | Management, Identity and Connectivity Management Groups beneath Platform Management Group have been deployed. If set to false, platform policies are assigned to the Platform Management Group; otherwise policies are assigned to the child management groups. parLandingZoneChildrenMgAlzDefaultsEnable | No | Corp & Online Management Groups beneath Landing Zones Management Groups have been deployed. If set to false, policies will not try to be assigned to corp or online Management Groups. parLandingZoneMgConfidentialEnable | No | Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group have been deployed. If set to false, policies will not try to be assigned to Confidential Corp & Confidential Online Management Groups @@ -39,6 +41,33 @@ Prefix used for the management group hierarchy. Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix +### parTopLevelPolicyAssignmentSovereigntyGlobal + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Object used to assign Sovereignty Baseline - Global Policies to the intermediate root management group.' + +- `parTopLevelSovereignGlobalPoliciesEnable - Switch to enable/disable deployment of the Sovereignty Baseline - Global Policies Assignment to the intermediate root management group. +- `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. + + + +- Default value: `@{parTopLevelSovereigntyGlobalPoliciesEnable=False; parListOfAllowedLocations=System.Object[]}` + +### parPolicyAssignmentSovereigntyConfidential + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Object used to assign Sovereignty Baseline - Confidential Policies to the confidential landing zone management groups.' + +- `parAllowedResourceTypes` - The list of Azure resource types approved for usage, which is the set of resource types that have a SKU backed by Azure Confidential Computing or resource types that do not process customer data. Leave empty to allow all relevant resource types. +- `parListOfAllowedLocations` - The list of locations that your organization can use to restrict deploying resources to. If left empty, only the deployment location will be allowed. +- `parallowedVirtualMachineSKUs` - The list of VM SKUs approved approved for usage, which is the set of SKUs backed by Azure Confidential Computing. Leave empty to allow all relevant SKUs. + + + +- Default value: `@{parAllowedResourceTypes=System.Object[]; parListOfAllowedLocations=System.Object[]; parAllowedVirtualMachineSKUs=System.Object[]}` + ### parPlatformMgAlzDefaultsEnable ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) @@ -171,6 +200,19 @@ Set Parameter to true to Opt-out of deployment telemetry "parTopLevelManagementGroupSuffix": { "value": "" }, + "parTopLevelPolicyAssignmentSovereigntyGlobal": { + "value": { + "parTopLevelSovereigntyGlobalPoliciesEnable": false, + "parListOfAllowedLocations": [] + } + }, + "parPolicyAssignmentSovereigntyConfidential": { + "value": { + "parAllowedResourceTypes": [], + "parListOfAllowedLocations": [], + "parAllowedVirtualMachineSKUs": [] + } + }, "parPlatformMgAlzDefaultsEnable": { "value": true }, diff --git a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json index 29a786eb6..1749f927d 100644 --- a/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json +++ b/infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json @@ -8,6 +8,12 @@ "parTopLevelManagementGroupSuffix": { "value": "" }, + "parTopLevelPolicyAssignmentSovereigntyGlobal": { + "value": { + "parTopLevelSovereigntyGlobalPoliciesEnable": false, + "parListOfAllowedLocations": [] + } + }, "parPlatformMgAlzDefaultsEnable": { "value": true }, @@ -17,6 +23,13 @@ "parLandingZoneMgConfidentialEnable": { "value": false }, + "parPolicyAssignmentSovereigntyConfidential": { + "value": { + "parAllowedResourceTypes": [], + "parListOfAllowedLocations": [], + "parAllowedVirtualMachineSKUs": [] + } + }, "parLogAnalyticsWorkSpaceAndAutomationAccountLocation": { "value": "eastus" }, diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt index 23110918d..581b0a7ad 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/_policyAssignmentsBicepInput.txt @@ -248,6 +248,16 @@ var varPolicyAssignmentEnforceGRKeyVault = { libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_gr_keyvault.tmpl.json') } +var varPolicyAssignmentEnforceSovereigntyConf = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/03de05a4-c324-4ccd-882f-a814ea8ab9ea' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_sovereignty_baseline_conf.tmpl.json') +} + +var varPolicyAssignmentEnforceSovereigntyGlobal = { + definitionId: '/providers/Microsoft.Authorization/policySetDefinitions/c1cbff38-87c0-4b9f-9f70-035c7a3b5523' + libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_sovereignty_baseline_global.tmpl.json') +} + var varPolicyAssignmentEnforceTLSSSL = { definitionId: '${varTopLevelManagementGroupResourceId}/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit' libDefinition: loadJsonContent('../../../policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_tls_ssl.tmpl.json') diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_sovereignty_baseline_conf.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_sovereignty_baseline_conf.tmpl.json new file mode 100644 index 000000000..946ec701e --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_sovereignty_baseline_conf.tmpl.json @@ -0,0 +1,332 @@ +{ + "name": "Enforce-Sovereign-Conf", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "The Microsoft Cloud for Sovereignty recommends confidential policies to help organizations achieve their sovereignty goals by default denying the creation of resources outside of approved regions, denying resources that are not backed by Azure Confidential Computing, and denying data storage resources that are not using Customer-Managed Keys. More details can be found here: https://aka.ms/SovereigntyBaselinePolicies", + "displayName": "[Preview]: Sovereignty Baseline - Confidential Policies", + "notScopes": [], + "parameters": { + "allowedResourceTypes": { + "value": [ + "Microsoft.Attestation/attestationProviders", + "Microsoft.Compute/availabilitySets", + "Microsoft.Compute/capacityReservationGroups", + "Microsoft.Compute/capacityReservationGroups/capacityReservations", + "Microsoft.Compute/cloudServices", + "Microsoft.Compute/cloudServices/roles", + "Microsoft.Compute/cloudServices/roleInstances", + "Microsoft.Compute/cloudServices/networkInterfaces", + "Microsoft.Compute/cloudServices/roleInstances/networkInterfaces", + "Microsoft.Compute/cloudServices/publicIPAddresses", + "Microsoft.Compute/disks", + "Microsoft.Compute/diskEncryptionSets", + "Microsoft.Compute/diskAccesses", + "Microsoft.Compute/galleries", + "Microsoft.Compute/galleries/images", + "Microsoft.Compute/galleries/images/versions", + "Microsoft.Compute/galleries/applications", + "Microsoft.Compute/galleries/applications/versions", + "Microsoft.Compute/hostGroups", + "Microsoft.Compute/hostGroups/hosts", + "Microsoft.Compute/images", + "Microsoft.Compute/locations", + "Microsoft.Compute/locations/artifactPublishers", + "Microsoft.Compute/locations/csoperations", + "Microsoft.Compute/locations/cloudServiceOsVersions", + "Microsoft.Compute/locations/cloudServiceOsFamilies", + "Microsoft.Compute/locations/capsoperations", + "Microsoft.Compute/locations/communityGalleries", + "Microsoft.Compute/locations/diagnostics", + "Microsoft.Compute/locations/diagnosticOperations", + "Microsoft.Compute/locations/diskoperations", + "Microsoft.Compute/locations/edgeZones", + "Microsoft.Compute/locations/edgeZones/vmimages", + "Microsoft.Compute/locations/edgeZones/publishers", + "Microsoft.Compute/locations/galleries", + "Microsoft.Compute/locations/logAnalytics", + "Microsoft.Compute/locations/recommendations", + "Microsoft.Compute/locations/runCommands", + "Microsoft.Compute/locations/sharedGalleries", + "Microsoft.Compute/locations/spotEvictionRates", + "Microsoft.Compute/locations/spotPriceHistory", + "Microsoft.Compute/locations/operations", + "Microsoft.Compute/locations/publishers", + "Microsoft.Compute/locations/usages", + "Microsoft.Compute/locations/vmSizes", + "Microsoft.Compute/locations/virtualMachines", + "Microsoft.Compute/locations/virtualMachineScaleSets", + "Microsoft.Compute/operations", + "Microsoft.Compute/restorePointCollections/restorePoints/diskRestorePoints", + "Microsoft.Compute/virtualMachines", + "Microsoft.Compute/virtualMachines/applications", + "Microsoft.Compute/virtualMachines/extensions", + "Microsoft.Compute/virtualMachines/metricDefinitions", + "Microsoft.Compute/virtualMachines/runCommands", + "Microsoft.Compute/virtualMachineScaleSets", + "Microsoft.Compute/virtualMachineScaleSets/applications", + "Microsoft.Compute/virtualMachineScaleSets/extensions", + "Microsoft.Compute/virtualMachineScaleSets/networkInterfaces", + "Microsoft.Compute/virtualMachineScaleSets/publicIPAddresses", + "Microsoft.Compute/virtualMachineScaleSets/virtualMachines", + "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/extensions", + "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces", + "Microsoft.Compute/restorePointCollections", + "Microsoft.Compute/restorePointCollections/restorePoints", + "Microsoft.Compute/proximityPlacementGroups", + "Microsoft.Compute/sshPublicKeys", + "Microsoft.Compute/sharedVMImages", + "Microsoft.Compute/sharedVMImages/versions", + "Microsoft.Compute/snapshots", + "Microsoft.ConfidentialLedger/checkNameAvailability", + "Microsoft.ConfidentialLedger/Ledgers", + "Microsoft.ConfidentialLedger/Locations", + "Microsoft.ConfidentialLedger/Locations/operations", + "Microsoft.ConfidentialLedger/Locations/operationstatuses", + "Microsoft.ConfidentialLedger/ManagedCCFs", + "Microsoft.ContainerService/managedClusters", + "Microsoft.ContainerService/managedClusters/agentPools", + "Microsoft.HardwareSecurityModules/dedicatedHSMs", + "Microsoft.HardwareSecurityModules/locations", + "Microsoft.HardwareSecurityModules/locations/operationResults", + "Microsoft.HardwareSecurityModules/operations", + "Microsoft.KeyVault/hsmPools", + "Microsoft.KeyVault/managedHSMs", + "Microsoft.KeyVault/locations/managedHsmOperationResults", + "Microsoft.KeyVault/checkMhsmNameAvailability", + "Microsoft.KeyVault/checkNameAvailability", + "Microsoft.KeyVault/deletedManagedHSMs", + "Microsoft.KeyVault/deletedVaults", + "Microsoft.KeyVault/locations", + "Microsoft.KeyVault/locations/deletedManagedHSMs", + "Microsoft.KeyVault/locations/deletedVaults", + "Microsoft.KeyVault/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.KeyVault/locations/operationResults", + "Microsoft.KeyVault/managedHSMs/privateEndpointConnections", + "Microsoft.KeyVault/operations", + "Microsoft.KeyVault/vaults", + "Microsoft.KeyVault/vaults/accessPolicies", + "Microsoft.KeyVault/vaults/eventGridFilters", + "Microsoft.KeyVault/vaults/keys", + "Microsoft.KeyVault/vaults/keys/versions", + "Microsoft.KeyVault/vaults/privateEndpointConnections", + "Microsoft.KeyVault/vaults/secrets", + "Microsoft.Kubernetes/connectedClusters", + "Microsoft.Kubernetes/locations", + "Microsoft.Kubernetes/locations/operationStatuses", + "Microsoft.Kubernetes/registeredSubscriptions", + "Microsoft.Kubernetes/Operations", + "Microsoft.KubernetesConfiguration/sourceControlConfigurations", + "Microsoft.KubernetesConfiguration/extensions", + "Microsoft.KubernetesConfiguration/fluxConfigurations", + "Microsoft.KubernetesConfiguration/operations", + "Microsoft.KubernetesConfiguration/privateLinkScopes", + "Microsoft.KubernetesConfiguration/privateLinkScopes/privateEndpointConnections", + "Microsoft.KubernetesConfiguration/privateLinkScopes/privateEndpointConnectionProxies", + "Microsoft.ManagedIdentity/userAssignedIdentities", + "Microsoft.Network/ddosProtectionPlans", + "Microsoft.Network/loadBalancers", + "Microsoft.Network/networkSecurityGroups", + "Microsoft.Network/networkInterfaces", + "Microsoft.Network/privateDnsZones", + "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "Microsoft.Network/privateEndpoints", + "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "Microsoft.Network/publicIPAddresses", + "Microsoft.Network/routeTables", + "Microsoft.Network/virtualNetworks", + "Microsoft.Network/virtualNetworks/subnets", + "Microsoft.Resources/deployments", + "Microsoft.Sql/locations/syncDatabaseIds", + "Microsoft.Sql/locations/longTermRetentionServers", + "Microsoft.Sql/locations/longTermRetentionBackups", + "Microsoft.Sql/locations/longTermRetentionPolicyOperationResults", + "Microsoft.Sql/locations/longTermRetentionPolicyAzureAsyncOperation", + "Microsoft.Sql/locations/longTermRetentionBackupOperationResults", + "Microsoft.Sql/locations/longTermRetentionBackupAzureAsyncOperation", + "Microsoft.Sql/locations/shortTermRetentionPolicyOperationResults", + "Microsoft.Sql/locations/shortTermRetentionPolicyAzureAsyncOperation", + "Microsoft.Sql/locations/managedShortTermRetentionPolicyOperationResults", + "Microsoft.Sql/locations/managedShortTermRetentionPolicyAzureAsyncOperation", + "Microsoft.Sql/locations/instanceFailoverGroups", + "Microsoft.Sql/locations/instanceFailoverGroupAzureAsyncOperation", + "Microsoft.Sql/locations/instanceFailoverGroupOperationResults", + "Microsoft.Sql/locations/privateEndpointConnectionProxyOperationResults", + "Microsoft.Sql/locations/privateEndpointConnectionProxyAzureAsyncOperation", + "Microsoft.Sql/locations/privateEndpointConnectionOperationResults", + "Microsoft.Sql/locations/outboundFirewallRulesAzureAsyncOperation", + "Microsoft.Sql/locations/outboundFirewallRulesOperationResults", + "Microsoft.Sql/locations/privateEndpointConnectionAzureAsyncOperation", + "Microsoft.Sql/locations/notifyAzureAsyncOperation", + "Microsoft.Sql/locations/serverTrustGroups", + "Microsoft.Sql/locations/serverTrustGroupOperationResults", + "Microsoft.Sql/locations/serverTrustGroupAzureAsyncOperation", + "Microsoft.Sql/locations/managedDatabaseMoveOperationResults", + "Microsoft.Sql/locations/managedDatabaseMoveAzureAsyncOperation", + "Microsoft.Sql/locations/connectionPoliciesAzureAsyncOperation", + "Microsoft.Sql/locations/connectionPoliciesOperationResults", + "Microsoft.Sql/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.Sql/locations/replicationLinksAzureAsyncOperation", + "Microsoft.Sql/locations/replicationLinksOperationResults", + "Microsoft.Sql/locations/managedInstanceDtcAzureAsyncOperation", + "Microsoft.Sql/servers", + "Microsoft.Sql/servers/advancedThreatProtectionSettings", + "Microsoft.Sql/servers/advisors", + "Microsoft.Sql/servers/auditingPolicies", + "Microsoft.Sql/servers/auditingSettings", + "Microsoft.Sql/servers/connectionPolicies", + "Microsoft.Sql/servers/databases", + "Microsoft.Sql/servers/databases/advisors", + "Microsoft.Sql/servers/databases/advancedThreatProtectionSettings", + "Microsoft.Sql/servers/databases/auditingPolicies", + "Microsoft.Sql/servers/databases/auditingSettings", + "Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies", + "Microsoft.Sql/servers/databases/extendedAuditingSettings", + "Microsoft.Sql/servers/databases/geoBackupPolicies", + "Microsoft.Sql/servers/databases/ledgerDigestUploads", + "Microsoft.Sql/servers/databases/securityAlertPolicies", + "Microsoft.Sql/servers/databases/transparentDataEncryption", + "Microsoft.Sql/servers/databases/transparentDataEncryption", + "Microsoft.Sql/servers/databases/vulnerabilityAssessments", + "Microsoft.Sql/servers/devOpsAuditingSettings", + "Microsoft.Sql/servers/databases/advancedThreatProtectionSettings", + "Microsoft.Sql/servers/encryptionProtector", + "Microsoft.Sql/servers/extendedAuditingSettings", + "Microsoft.Sql/servers/firewallRules", + "Microsoft.Sql/servers/keys", + "Microsoft.Sql/servers/securityAlertPolicies", + "Microsoft.Sql/servers/sqlVulnerabilityAssessments", + "Microsoft.Sql/servers/vulnerabilityAssessments" + ] + }, + "allowedVirtualMachineSKUs": { + "value": [ + "Standard_DC1s_v2", + "Standard_DC2s_v2", + "Standard_DC4s_v2", + "Standard_DC8_v2", + "Standard_DC1s_v3", + "Standard_DC2s_v3", + "Standard_DC4s_v3", + "Standard_DC8s_v3", + "Standard_DC16s_v3", + "Standard_DC24s_v3", + "Standard_DC32s_v3", + "Standard_DC48s_v3", + "Standard_DC1ds_v3", + "Standard_DC2ds_v3", + "Standard_DC4ds_v3", + "Standard_DC8ds_v3", + "Standard_DC16ds_v3", + "Standard_DC24ds_v3", + "Standard_DC32ds_v3", + "Standard_DC48ds_v3", + "Standard_DC2ads_v5", + "Standard_DC2as_v5", + "Standard_DC4ads_v5", + "Standard_DC4as_v5", + "Standard_DC8ads_v5", + "Standard_DC8as_v5", + "Standard_DC16ads_v5", + "Standard_DC16as_v5", + "Standard_DC32ads_v5", + "Standard_DC32as_v5", + "Standard_DC48ads_v5", + "Standard_DC48as_v5", + "Standard_DC64ads_v5", + "Standard_DC64as_v5", + "Standard_DC96ads_v5", + "Standard_DC96as_v5", + "Standard_EC2ads_v5", + "Standard_EC2as_v5", + "Standard_EC4ads_v5", + "Standard_EC4as_v5", + "Standard_EC8ads_v5", + "Standard_EC8as_v5", + "Standard_EC16ads_v5", + "Standard_EC16as_v5", + "Standard_EC20ads_v5", + "Standard_EC20as_v5", + "Standard_EC32ads_v5", + "Standard_EC32as_v5", + "Standard_EC48ads_v5", + "Standard_EC48as_v5", + "Standard_EC64ads_v5", + "Standard_EC64as_v5", + "Standard_EC96ads_v5", + "Standard_EC96as_v5", + "Standard_EC96iads_v5", + "Standard_EC96ias_v5" + ] + }, + "effect": { + "value": "Deny" + }, + "listOfAllowedLocations": { + "value": [ + "australiacentral", + "australiacentral2", + "australiaeast", + "australiasoutheast", + "brazilsouth", + "brazilsoutheast", + "brazilus", + "canadacentral", + "canadaeast", + "centralindia", + "centralus", + "centraluseuap", + "eastasia", + "eastus", + "eastus2", + "eastus2euap", + "eastusstg", + "francecentral", + "francesouth", + "germanynorth", + "germanywestcentral", + "israelcentral", + "italynorth", + "japaneast", + "japanwest", + "jioindiacentral", + "jioindiawest", + "koreacentral", + "koreasouth", + "northcentralus", + "northeurope", + "norwayeast", + "norwaywest", + "polandcentral", + "qatarcentral", + "southafricanorth", + "southafricawest", + "southcentralus", + "southcentralusstg", + "southeastasia", + "southindia", + "swedencentral", + "switzerlandnorth", + "switzerlandwest", + "uaecentral", + "uaenorth", + "uksouth", + "ukwest", + "westcentralus", + "westeurope", + "westindia", + "westus", + "westus2", + "westus3" + ] + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/03de05a4-c324-4ccd-882f-a814ea8ab9ea", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_sovereignty_baseline_global.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_sovereignty_baseline_global.tmpl.json new file mode 100644 index 000000000..260d95197 --- /dev/null +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_enforce_sovereignty_baseline_global.tmpl.json @@ -0,0 +1,80 @@ +{ + "name": "Enforce-Sovereign-Global", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "The Microsoft Cloud for Sovereignty recommends global policies to help organizations achieve their sovereignty goals by default denying the creation of resources outside of approved regions. More details can be found here: https://aka.ms/SovereigntyBaselinePolicies", + "displayName": "[Preview]: Sovereignty Baseline - Global Policies", + "notScopes": [], + "parameters": { + "effect": { + "value": "Deny" + }, + "listOfAllowedLocations": { + "value": [ + "australiacentral", + "australiacentral2", + "australiaeast", + "australiasoutheast", + "brazilsouth", + "brazilsoutheast", + "brazilus", + "canadacentral", + "canadaeast", + "centralindia", + "centralus", + "centraluseuap", + "eastasia", + "eastus", + "eastus2", + "eastus2euap", + "eastusstg", + "francecentral", + "francesouth", + "germanynorth", + "germanywestcentral", + "israelcentral", + "italynorth", + "japaneast", + "japanwest", + "jioindiacentral", + "jioindiawest", + "koreacentral", + "koreasouth", + "northcentralus", + "northeurope", + "norwayeast", + "norwaywest", + "polandcentral", + "qatarcentral", + "southafricanorth", + "southafricawest", + "southcentralus", + "southcentralusstg", + "southeastasia", + "southindia", + "swedencentral", + "switzerlandnorth", + "switzerlandwest", + "uaecentral", + "uaenorth", + "uksouth", + "ukwest", + "westcentralus", + "westeurope", + "westindia", + "westus", + "westus2", + "westus3" + ] + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/c1cbff38-87c0-4b9f-9f70-035c7a3b5523", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +}