Built-in Policy Release cf19f7a6 (#1327)

Co-authored-by: Azure Policy Bot <azgovpolicy@microsoft.com>
Azure · May 29, 2024 · 5db8926 · 5db8926
1 parent 05094af
commit 5db8926
Show file tree

Hide file tree

Showing 5 changed files with 15,566 additions and 6 deletions.
diff --git a/...olicies/policyDefinitions/Cosmos DB/Cosmos_NetworkRulesNoAzureDatacenterAccess_Audit.json b/...olicies/policyDefinitions/Cosmos DB/Cosmos_NetworkRulesNoAzureDatacenterAccess_Audit.json
@@ -0,0 +1,64 @@
+{
+  "properties": {
+    "displayName": "Azure Cosmos DB accounts should not allow traffic from all Azure data centers",
+    "policyType": "BuiltIn",
+    "mode": "Indexed",
+    "description": "Disallow the IP Firewall rule, '0.0.0.0', which allows for all traffic from any Azure data centers. Learn more at https://aka.ms/cosmosdb-firewall",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "Cosmos DB"
+    },
+    "version": "1.0.0",
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Policy Effect",
+          "description": "The desired effect of the policy."
+        },
+        "allowedValues": [
+          "Audit",
+          "Deny",
+          "Disabled"
+        ],
+        "defaultValue": "Audit"
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.DocumentDB/databaseAccounts"
+          },
+          {
+            "anyOf": [
+              {
+                "count": {
+                  "field": "Microsoft.DocumentDB/databaseAccounts/ipRules[*]",
+                  "where": {
+                    "field": "Microsoft.DocumentDB/databaseAccounts/ipRules[*].ipAddressOrRange",
+                    "equals": "0.0.0.0"
+                  }
+                },
+                "greaterOrEquals": 1
+              },
+              {
+                "field": "Microsoft.DocumentDB/databaseAccounts/ipRangeFilter",
+                "contains": "0.0.0.0"
+              }
+            ]
+          }
+        ]
+      },
+      "then": {
+        "effect": "[parameters('effect')]"
+      }
+    },
+    "versions": [
+      "1.0.0"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/12339a85-a25c-4f17-9f82-4766f13f5c4c",
+  "name": "12339a85-a25c-4f17-9f82-4766f13f5c4c"
+}
diff --git a/...-policies/policyDefinitions/Monitoring/Batch_DeployDiagnosticLog_Deploy_LogAnalytics.json b/...-policies/policyDefinitions/Monitoring/Batch_DeployDiagnosticLog_Deploy_LogAnalytics.json
@@ -5,10 +5,10 @@
     "mode": "Indexed",
     "description": "Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings is created or updated.",
     "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
       "category": "Monitoring"
     },
-    "version": "1.0.0",
+    "version": "1.1.0",
     "parameters": {
       "effect": {
         "type": "string",
@@ -140,6 +140,10 @@
                         {
                           "category": "ServiceLog",
                           "enabled": "[parameters('logsEnabled')]"
+                        },
+                        {
+                          "category": "AuditLog",
+                          "enabled": "[parameters('logsEnabled')]"
                         }
                       ]
                     }
@@ -173,6 +177,7 @@
       }
     },
     "versions": [
+      "1.1.0",
       "1.0.0"
     ]
   },

diff --git a/built-in-policies/policySetDefinitions/Monitoring/AzureMonitor_VMSS_AMA_new.json b/built-in-policies/policySetDefinitions/Monitoring/AzureMonitor_VMSS_AMA_new.json
@@ -4,10 +4,10 @@
     "policyType": "BuiltIn",
     "description": "Enable Azure Monitor for the virtual machines scale set (VMSS) with AMA.",
     "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
       "category": "Monitoring"
     },
-    "version": "1.0.0",
+    "version": "1.1.0",
     "parameters": {
       "enableProcessesAndDependencies": {
         "type": "Boolean",
@@ -32,6 +32,26 @@
           true
         ]
       },
+      "restrictBringYourOwnUserAssignedIdentityToSubscription": {
+        "type": "Boolean",
+        "metadata": {
+          "displayName": "Restrict Bring Your Own User-Assigned Identity to Subscription",
+          "description": "Enable this to enforce the user assigned identity must exist in the same subscription as the virtual machine. When true, must provide User-Assigned Managed Identity Name and User-Assigned Managed Identity Resource Group Name parameters. When false, the parameter User Assigned Managed Identity Resource Id will be used instead."
+        },
+        "allowedValues": [
+          true,
+          false
+        ],
+        "defaultValue": true
+      },
+      "userAssignedIdentityResourceId": {
+        "type": "String",
+        "metadata": {
+          "displayName": "User-Assigned Managed Identity Resource ID",
+          "description": "The resource ID of the pre-created user-assigned managed identity. This parameter is only used when the restrict Bring Your Own User-Assigned Identity To Subscription parameter is false."
+        },
+        "defaultValue": ""
+      },
       "userAssignedManagedIdentityName": {
         "type": "String",
         "metadata": {
@@ -106,6 +126,12 @@
           "bringYourOwnUserAssignedManagedIdentity": {
             "value": "[parameters('bringYourOwnUserAssignedManagedIdentity')]"
           },
+          "restrictBringYourOwnUserAssignedIdentityToSubscription": {
+            "value": "[parameters('restrictBringYourOwnUserAssignedIdentityToSubscription')]"
+          },
+          "userAssignedIdentityResourceId": {
+            "value": "[parameters('userAssignedIdentityResourceId')]"
+          },
           "userAssignedIdentityName": {
             "value": "[parameters('userAssignedManagedIdentityName')]"
           },
@@ -128,6 +154,12 @@
           "bringYourOwnUserAssignedManagedIdentity": {
             "value": "[parameters('bringYourOwnUserAssignedManagedIdentity')]"
           },
+          "restrictBringYourOwnUserAssignedIdentityToSubscription": {
+            "value": "[parameters('restrictBringYourOwnUserAssignedIdentityToSubscription')]"
+          },
+          "userAssignedIdentityResourceId": {
+            "value": "[parameters('userAssignedIdentityResourceId')]"
+          },
           "userAssignedManagedIdentityName": {
             "value": "[parameters('userAssignedManagedIdentityName')]"
           },
@@ -153,6 +185,12 @@
           "bringYourOwnUserAssignedManagedIdentity": {
             "value": "[parameters('bringYourOwnUserAssignedManagedIdentity')]"
           },
+          "restrictBringYourOwnUserAssignedIdentityToSubscription": {
+            "value": "[parameters('restrictBringYourOwnUserAssignedIdentityToSubscription')]"
+          },
+          "userAssignedIdentityResourceId": {
+            "value": "[parameters('userAssignedIdentityResourceId')]"
+          },
           "userAssignedManagedIdentityName": {
             "value": "[parameters('userAssignedManagedIdentityName')]"
           },
@@ -227,6 +265,7 @@
       }
     ],
     "versions": [
+      "1.1.0",
       "1.0.0"
     ]
   },

diff --git a/built-in-policies/policySetDefinitions/Monitoring/AzureMonitor_VM_AMA_new.json b/built-in-policies/policySetDefinitions/Monitoring/AzureMonitor_VM_AMA_new.json
@@ -4,10 +4,10 @@
     "policyType": "BuiltIn",
     "description": "Enable Azure Monitor for the virtual machines (VMs) with AMA.",
     "metadata": {
-      "version": "1.0.0",
+      "version": "1.1.0",
       "category": "Monitoring"
     },
-    "version": "1.0.0",
+    "version": "1.1.0",
     "parameters": {
       "enableProcessesAndDependencies": {
         "type": "Boolean",
@@ -32,6 +32,26 @@
           true
         ]
       },
+      "restrictBringYourOwnUserAssignedIdentityToSubscription": {
+        "type": "Boolean",
+        "metadata": {
+          "displayName": "Restrict Bring Your Own User-Assigned Identity to Subscription",
+          "description": "Enable this to enforce the user assigned identity must exist in the same subscription as the virtual machine. When true, must provide User-Assigned Managed Identity Name and User-Assigned Managed Identity Resource Group Name parameters. When false, the parameter User Assigned Managed Identity Resource Id will be used instead."
+        },
+        "allowedValues": [
+          true,
+          false
+        ],
+        "defaultValue": true
+      },
+      "userAssignedIdentityResourceId": {
+        "type": "String",
+        "metadata": {
+          "displayName": "User-Assigned Managed Identity Resource ID",
+          "description": "The resource ID of the pre-created user-assigned managed identity. This parameter is only used when the restrict Bring Your Own User-Assigned Identity To Subscription parameter is false."
+        },
+        "defaultValue": ""
+      },
       "userAssignedManagedIdentityName": {
         "type": "String",
         "metadata": {
@@ -106,6 +126,12 @@
           "bringYourOwnUserAssignedManagedIdentity": {
             "value": "[parameters('bringYourOwnUserAssignedManagedIdentity')]"
           },
+          "restrictBringYourOwnUserAssignedIdentityToSubscription": {
+            "value": "[parameters('restrictBringYourOwnUserAssignedIdentityToSubscription')]"
+          },
+          "userAssignedIdentityResourceId": {
+            "value": "[parameters('userAssignedIdentityResourceId')]"
+          },
           "userAssignedIdentityName": {
             "value": "[parameters('userAssignedManagedIdentityName')]"
           },
@@ -128,6 +154,12 @@
           "bringYourOwnUserAssignedManagedIdentity": {
             "value": "[parameters('bringYourOwnUserAssignedManagedIdentity')]"
           },
+          "restrictBringYourOwnUserAssignedIdentityToSubscription": {
+            "value": "[parameters('restrictBringYourOwnUserAssignedIdentityToSubscription')]"
+          },
+          "userAssignedIdentityResourceId": {
+            "value": "[parameters('userAssignedIdentityResourceId')]"
+          },
           "userAssignedManagedIdentityName": {
             "value": "[parameters('userAssignedManagedIdentityName')]"
           },
@@ -153,6 +185,12 @@
           "bringYourOwnUserAssignedManagedIdentity": {
             "value": "[parameters('bringYourOwnUserAssignedManagedIdentity')]"
           },
+          "restrictBringYourOwnUserAssignedIdentityToSubscription": {
+            "value": "[parameters('restrictBringYourOwnUserAssignedIdentityToSubscription')]"
+          },
+          "userAssignedIdentityResourceId": {
+            "value": "[parameters('userAssignedIdentityResourceId')]"
+          },
           "userAssignedManagedIdentityName": {
             "value": "[parameters('userAssignedManagedIdentityName')]"
           },
@@ -227,6 +265,7 @@
       }
     ],
     "versions": [
+      "1.1.0",
       "1.0.0"
     ]
   },